Full_Name: Pierangelo Masarati Version: HEAD OS: irrelevant URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (131.175.154.56) Submitted by: ando ACIs currently don't have any notion of the "disclose" privilege. In HEAD code, the character 'd' has been recently allowed in ACI privileges. However, ACI's design does not allow to collect the real access a target is granted, so, although checking for "disclose" access could be possible by means of a direct request, e.g. calling access_allowed(ACL_DISCLOSE), current code calls access_allowed_mask(<access>, &mask) to check if <access> is allowed and simultaneously get the actual permissions in mask, where the access to ACL_DISCLOSE is checked by the caller. ACIs (and possibl the dynacl API) need be reworked to comply with this usage. NOTE: in the original draft ACIs are loosely inspired on, 'd' was used for "delete" permissions; I used 'd' for "dislose" for consistency with the rest of slapd's access control, since there's no reason to stick with tha expired document. p.
changed notes moved from Incoming to Development
ACI