[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SLAPD: Should access checks take place before filter matching?



At 02:05 PM 6/22/2001, Simon Spero wrote:
>On Fri, 22 Jun 2001, Kurt D. Zeilenga wrote:
>> than with the most simple filters, returning False and returning
>> non-True are NOT equivalent.
>>
>> If I gather what you are suggesting correctly,
>>         (userPassword=secret) is Undefined and entry is not returned.
>>         (!(userPassword=secret)) is True and entry is returned.
>
>test_filter returns a lifted boolean, but the functions that call
>test_filter only test to see if the value is TRUE, and only send a result
>in that case. If the value is anything other than TRUE (i.e. FALSE or
>BOTTOM), no result is returned.  This is true for everywhere in the code
>where test_filter is called.

[edited for discussion purposes]
    case LDAP_FILTER_NOT:
        rc = test_filter( be, conn, op, e, f->f_not );
        
        switch( rc ) {
        case LDAP_COMPARE_TRUE:
            rc = LDAP_COMPARE_FALSE;
            break;
        case LDAP_COMPARE_FALSE:
            rc = LDAP_COMPARE_TRUE;             
            break;
        }

         return rc

Note that the code doesn't just return ( rc != LDAP_COMPARE_TRUE ).
That would be incorrect.