[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3639) Inconsistent access checking in back-shell?

Here's some discussion of this change in the thread:

At 02:37 AM 4/8/2005, ando@sys-net.it wrote:

>> I forget why this check was added, but (as I recall) it
>> was purposely added.  The reasons to why likely can be
>> found in the commit log and/or -bugs/-devel list archives.
>> I'll try to dig about later...
>I've found back-shell/modify.c 1.23 -> 1.24 introduced this change;
>there's no explanation, besides a comment that the same should be done for
>back-perl and other scriptiong backends.  I think this is incorrect for
>two reasons:
>1) it is inconsistent with other backends and the difference is undocumented
>2) the check is done using a dummy entry, built by placing the DN into an
>empty Entry structure, which causes all access clauses that depend on the
>contents of the object to behave unexpectedly; this is undocumented as
>I've fixed this type of problems in back-sql recently, to restore a
>consistent behavior; the same could be done in back-shell and so, but I
>fear there might be issues related to fetching the required objects, and
>it might not be worth the effort.  In any case, this point should be
>clarified in the docs, regardless of how it's fixed.  I think we should
>make access checking aware of the fact that it's working on a dummy
>target; this should cause clauses that require the real data to take
>appropriate measures (e.g. fail, or just do not apply, or at least issue a
>warning that access checking might be incomplete or inappropriate for that
>Maybe we need to discuss this in -devel.  In any case, there seems to be a
>wide class of backends that do not honor access control as described in
>the docs; there might be very good reasons for this, but they should be
>made explicit.
>Pierangelo Masarati
>    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497