[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: detecting rights

Timo Boettcher wrote:
> Hi all!
> Sorry for bugging again...
> I'm using group based ACL's for access-control, implemeting different
> levels of access for different subtrees. Now I'd like detect whether a
> user has the right to read/write a to a specific entry because I won't
> display this possibillities on application-side to minimize
> user-confusion.
> Is there any possibility to do that without trying to read/write to an
> entry? I'm using ldap via php (I don't think that this matters, that
> should be ldap-related, not php-related. If I'm wrong with that, I'm
> sorry to post this Off-Topic but hope to get help anyhow).

If I get it right, you want to know if a user has access to a subtree
without performing a search on the subtree.  In other words you ask if
the server publishes its ACL.  I don't recall any means for a server
to publish ACLs (this would open security issues, I guess).  The ACL
mechanism is applied by the server to the data; it is implementation
dependent.  IMHO all you can do is let clients ask for data; protect
on the server side.


Dr. Pierangelo Masarati               | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale                | fax:   +39 02 2399 8334
Politecnico di Milano                 | mailto:masarati@aero.polimi.it
via La Masa 34, 20156 Milano, Italy   |