[Date Prev][Date Next]
(ITS#6468) ACLs in subordinate databases can be ignored
Full_Name: Rein Tollevik
Version: CVS HEAD
Submission from: (NULL) (2a01:600:0:1:21c:23ff:feab:61cd)
Submitted by: rein
In a glued database configuration where overlays (syncprov, accesslog) are
stacked on top of the glue overlay, ACL evaluation initiated from these overlays
can be evaluated by the superior glue database and not the subordinate database
where the entry actually exist. I.e, ACLs defined in the subordinate databases
are ignored in these cases.
A fix that implements bi_access_allowed in the glue overlay is coming, it
delegates the call to the actual backend where the entry being referenced exist.
An alternative approach I considered was to require the overlays to call
select_backend() to find the actual backend where the entry exist, but that
would imo obfuscate the modularization of the code.