Re: SLAPD: Should access checks take place before filter matching?

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 11:34 AM 6/22/2001, Kurt D. Zeilenga wrote:
>At 10:18 AM 6/22/2001, Simon Spero wrote:
>>On Thursday, June 21, 2001, at 07:25 PM, Kurt D. Zeilenga wrote: 
>>
>>>At 08:58 AM 6/21/2001, Simon Spero wrote: 
>>>>During the course of testing some other stuff I noticed that several functions in filter_entry check acl info before they test to see if the filter matches. 
>>
>>>In our ACM, one must have search permission to evaluate a filter 
>>>and read permission to return the entry.  Search is dependent 
>>>on the filter and checked during filter evaluation.  Read 
>>>permissions apply only to matching entries. 
>>
>>The set of results returned by an implementation that checks access before checking the filter, and the set returned by one  that checks the filter before evaluating the access control are  precisely identical.
>
>Not necessarily....  just because (X=foo) is allowed to be
>evaluated does not mean that attribute X will be returned.
>Permission to search (=x) is orthogonal to permission to
>read (=r) and semantically quite different.

For example, consider the ACLs:

        access to attr=userPassword by * none
        access to * by * read

and the filter (userPassword=secret).

If one doesn't evaluate the ACL during filter matching, then
all entries matching the filter will be returned without the
userPassword, but the client will still know that all returned
entries have "secret" as a value of userPassword.

Kurt