Le 24 déc. 2011 à 12:44, Kiran Ayyagari <[email protected]> a écrit :
> On Sat, Dec 24, 2011 at 4:57 PM, Emmanuel Lecharny <[email protected]> > wrote: >> Hi, >> >> we have a strange test that checks if a normal user (not the admin) can read >> under ou=system. This test is just totally wrong, as it uses the admin >> session, so I tried to fix it using a plain user. Sadly, oing so, I can read >> almost everyting under ou=system. >> >> So I question the logic : >> - can a normal user read something under ou=system (except his own record) >> - should we instead forbid this user to read the 'uid=admin,ou=system', >> 'ou=configuration,ou=system', 'ou=groups,ou=system' and 'ou=users,ou=system' >> entries (and their children) ? >> - or should we just allow this user to read everything except if the ACI >> subsystem is set ? >> >> IMO, I'd rather go for the third option. >> > +1 +1 too. Regards, Pierre-Arnaud >> Note : the test is >> org.apache.directory.server.core.authz.AuthorizationServiceAsNonAdminIT.testNoSearchByNonAdmin >> : >> /** >> * Makes sure non-admin cannot search under ou=system. >> * >> * @throws Exception if there are problems >> */ >> @Test >> public void testNoSearchByNonAdmin() throws Exception >> { >> LdifEntry akarasulu = getUserAddLdif(); >> >> getService().getAdminSession().add( >> new DefaultEntry( getService().getSchemaManager(), >> akarasulu.getEntry() ) ); >> >> try >> { >> ExprNode filter = FilterParser.parse( >> getService().getSchemaManager(), "(objectClass=*)" ); >> getService().getAdminSession().search( new Dn( "ou=system" ), >> SearchScope.SUBTREE, filter , AliasDerefMode.DEREF_ALWAYS, null ); >> } >> catch ( LdapNoPermissionException e ) >> { >> assertNotNull( e ); >> } >> } >> >> It passes with flying colors, just because we don't check anything... >> >> -- >> Regards, >> Cordialement, >> Emmanuel Lécharny >> www.iktek.com >> > > > > -- > Kiran Ayyagari
