[Date Prev][Date Next]
Re: detecting rights
Timo Boettcher wrote:
> Hi all!
> Sorry for bugging again...
> I'm using group based ACL's for access-control, implemeting different
> levels of access for different subtrees. Now I'd like detect whether a
> user has the right to read/write a to a specific entry because I won't
> display this possibillities on application-side to minimize
> Is there any possibility to do that without trying to read/write to an
> entry? I'm using ldap via php (I don't think that this matters, that
> should be ldap-related, not php-related. If I'm wrong with that, I'm
> sorry to post this Off-Topic but hope to get help anyhow).
If I get it right, you want to know if a user has access to a subtree
without performing a search on the subtree. In other words you ask if
the server publishes its ACL. I don't recall any means for a server
to publish ACLs (this would open security issues, I guess). The ACL
mechanism is applied by the server to the data; it is implementation
dependent. IMHO all you can do is let clients ask for data; protect
on the server side.
Dr. Pierangelo Masarati | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale | fax: +39 02 2399 8334
Politecnico di Milano | mailto:firstname.lastname@example.org
via La Masa 34, 20156 Milano, Italy |