[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)

At 01:47 PM 4/4/2005, Hallvard B Furuseth wrote:
>Kurt D. Zeilenga writes:
>> In your patch, it appears that modify/replace only requires
>> add.  However, as modify/replace deletes existing values,
>> it should require delete as well.
>What if there is no attribute to delete?

The check is not done with knowledge of the entry,
so one has to assume the attribute exists and with
values different then those presented.

Now, if no values are presented, then just delete
can be required.

>What you say is consistent with current behaviour, but current
>behaviour does not look right to me:
>  access to attrs=foo val=bar by *    read
>  access to *                 by self write
>                              by *    read
>does not prevent replace:foo if the entry contains foo:bar.

Value level ACLs are, today, (I think) incomplete.

>It's documented, though.  But if it is the intended behaviour,
>I think slapd startup should at least try to warn about it.
>I'll file an ITS when I know what the error is:-)