[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#3963) [development] ACIs design seems incompatible with "disclose" access privilege

Full_Name: Pierangelo Masarati
Version: HEAD
OS: irrelevant
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (
Submitted by: ando

ACIs currently don't have any notion of the "disclose" privilege.  In HEAD code,
the character 'd' has been recently allowed in ACI privileges.  However, ACI's
design does not allow to collect the real access a target is granted, so,
although checking for "disclose" access could be possible by means of a direct
request, e.g. calling access_allowed(ACL_DISCLOSE), current code calls
access_allowed_mask(<access>, &mask) to check if <access> is allowed and
simultaneously get the actual permissions in mask, where the access to
ACL_DISCLOSE is checked by the caller.  ACIs (and possibl the dynacl API) need
be reworked to comply with this usage.

NOTE: in the original draft ACIs are loosely inspired on, 'd' was used for
"delete" permissions; I used 'd' for "dislose" for consistency with the rest of
slapd's access control, since there's no reason to stick with tha expired