Re: querying ACLs

[Pierangelo Masarati <ando@sys-net.it>]

Shane wrote:
> Hi,
>
> Is it possible to "query" what permissions an "entity" has prior to
> them trying to make a change or addition? In context, I'm writing an
> app that has different levels of editing based on who you are / what
> groups you're in etc.
>
> > From majority of examples I've seen this seems to be a try fail sort
> of thing, try to edit, if it fails you report the error (usually no
> permissions). It would be really handy to turn that around and query
> the server first and give an interface to the user which only has
> parts they can edit as editable - I could code in which groups have
> access etc but then if I add extra groups to the ACL I'll need to
> change code ... simply trying to modify every attribute then catching
> / reporting failures or using this to work out what they can edit just
> feels dirty and surely isn't very efficient - is there an alternative?

The short answer is: no

The long(er) answer is: there's no way besides trying what modification 
 you desire (possibly, with the no-op control, <draft-zeilenga-ldap-noop>)

A workaround is: you can get a guess, which is not a guarantee but 
should eb considered a hint and, as such, suitable to "grey out fields 
in a GUI", by using the "allowed" overlay, 
<http://www.openldap.org/its/?findid=4730>.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------