Issue 3963 - [development] ACIs design seems incompatible with "disclose" access privilege
Summary: [development] ACIs design seems incompatible with "disclose" access privilege
Status: UNCONFIRMED
Alias: None
Product: OpenLDAP
Classification: Unclassified
Component: slapd (show other issues)
Version: unspecified
Hardware: All All
: --- normal
Target Milestone: ---
Assignee: OpenLDAP project
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-08-23 13:26 UTC by ando@openldap.org
Modified: 2014-08-01 21:04 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description ando@openldap.org 2005-08-23 13:26:08 UTC 
Full_Name: Pierangelo Masarati
Version: HEAD
OS: irrelevant
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (131.175.154.56)
Submitted by: ando


ACIs currently don't have any notion of the "disclose" privilege.  In HEAD code,
the character 'd' has been recently allowed in ACI privileges.  However, ACI's
design does not allow to collect the real access a target is granted, so,
although checking for "disclose" access could be possible by means of a direct
request, e.g. calling access_allowed(ACL_DISCLOSE), current code calls
access_allowed_mask(<access>, &mask) to check if <access> is allowed and
simultaneously get the actual permissions in mask, where the access to
ACL_DISCLOSE is checked by the caller.  ACIs (and possibl the dynacl API) need
be reworked to comply with this usage.

NOTE: in the original draft ACIs are loosely inspired on, 'd' was used for
"delete" permissions; I used 'd' for "dislose" for consistency with the rest of
slapd's access control, since there's no reason to stick with tha expired
document.

p.
Comment 1 ando@openldap.org 2005-08-23 13:26:40 UTC 
changed notes
moved from Incoming to Development
Comment 2 OpenLDAP project 2014-08-01 21:04:57 UTC 
ACI