[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: limits

> The limit code in the frontend needs also to be run before calling
> backend operations internally.
> How about having a utilify function to set the operation limits ?
> instead of duplicating codes ?

I already moved the code into do_search(); we could make
a be_search() where to put limits and delegate the actual
call to be->be_search to it.  I think the backend selection
should not be there.  Note that usually internal searches
are likely to be run with special privileges, but to be
general I guess limits could apply to them.

If we plan to move limits to other operations, the
infrastructure needs a further level of generalization;
but first we should make clear what is worth limiting,
or at least to design what types of parameters should
be limited.  For searches we already have a reasonable
set: soft/hard size/time, candidates, page size; since
there are no other bulk operations in LDAP, I don't
actually see anything we could do better than with ACLs.
The only advantage of using limits istead of ACLs is
that operation denial occurs a bit earlier, based on
the identity of the issuer, with no knowledge of the
values or types the restriction applies to.

Right now, I feel fine with search limits in the
front-end, possibly wrapping calls to be->be_search(),
but I'd like to know if anybody thinks there is room
for more applications.


Pierangelo Masarati