diff options
author | Noriko Hosoi <nhosoi@redhat.com> | 2008-06-27 19:28:22 +0000 |
---|---|---|
committer | Noriko Hosoi <nhosoi@redhat.com> | 2008-06-27 19:28:22 +0000 |
commit | 70425fbcea96d1b477fea27eca67fb7e828c446e (patch) | |
tree | 7142ac3a793a263cafbd486458fcaeb7c092e54d /ldap/servers/slapd/schema.c | |
parent | b643fa2279635381cdb0ff6d62f39b93f6a6e22f (diff) | |
download | ds-70425fbcea96d1b477fea27eca67fb7e828c446e.tar.gz ds-70425fbcea96d1b477fea27eca67fb7e828c446e.tar.xz ds-70425fbcea96d1b477fea27eca67fb7e828c446e.zip |
Resolves: #437525
Summary: GER: allow GER for non-existing entries
Description:
[slapd/charray.c]
new: charray_merge_nodup -- merge 2 string arrays skipping the duplicates
modified: charray_remove -- introduced "freeit" flag. If true, the removed
string is freed. (The API is used only in chainingdb. The change is applied
to the plugin.)
[slapd/opshared.c]
modified: check OP_FLAG_GET_EFFECTIVE_RIGHTS in the iterate to support
"@<objectclass>". It's needed to do at the location since we have to call acl
plugin even
when no entries are returned from the search. If no entries are returned and
"@<objectclass>" is found in the attribute list, acl effective rights code
generates the corresponding template entry.
[slapd/pblock.c]
place to store gerattrs is added (SLAPI_SEARCH_GERATTRS), where gerattrs is an
array of strings which store "...@<objectclass>".
[slapd/result.c]
moved OP_FLAG_GET_EFFECTIVE_RIGHTS checking to iterate (opshared.c)
[slapd/schema.c]
new: slapi_schema_list_objectclass_attributes -- return the required and/or
allowed attributes belonging to the given objectclass. This is used to support
"*" and "+" in the get effective rights.
new: slapi_schema_get_superior_name -- return the superior objectclass name of
the given objectclass.
[slapd/search.c]
if "<attr>@<objectclass>" is found in the attribute list, cut the <attr> part
out and added to the attrs array (pblock SLAPI_SEARCH_ATTRS) and store the
original
string to the gerattrs (pblock SLAPI_SEARCH_GERATTRS).
[plugin/acl/acleffectiverights.c]
modified: _ger_g_permission_granted -- if the requester and the subject user
are
identical, give "g" permission
modified: _ger_parse_control -- replaced strcpy with memmove since strcpy does
not guarantee the result of the overlap copy.
modified: _ger_get_attrs_rights -- support "*" (all attributes belonging to the
object) and "+" (operational attributes). If repeated attributes are found in
the given attribute list, they are reduced to one.
new: _ger_generate_template_entry -- generate a template entry if
"@<objectclass>" is passed.
[pluginc/cb/*]
adjusted to the updated charray_remove.
Please see also this wiki page for the overview and test cases.
http://directory.fedoraproject.org/wiki/Get_Effective_Rights_for_non-present_attributes
Diffstat (limited to 'ldap/servers/slapd/schema.c')
-rw-r--r-- | ldap/servers/slapd/schema.c | 122 |
1 files changed, 94 insertions, 28 deletions
diff --git a/ldap/servers/slapd/schema.c b/ldap/servers/slapd/schema.c index d116e340..b8e154af 100644 --- a/ldap/servers/slapd/schema.c +++ b/ldap/servers/slapd/schema.c @@ -641,41 +641,41 @@ static int oc_check_required( Slapi_PBlock *pb, Slapi_Entry *e, struct objclass *oc ) { int i; - int rc = 0; /* success, by default */ + int rc = 0; /* success, by default */ Slapi_Attr *a; if (oc == NULL || oc->oc_required == NULL || oc->oc_required[0] == NULL) { - return 0; /* success, as none required */ + return 0; /* success, as none required */ } /* for each required attribute */ for ( i = 0; oc->oc_required[i] != NULL; i++ ) { /* see if it's in the entry */ for ( a = e->e_attrs; a != NULL; a = a->a_next ) { - if ( slapi_attr_type_cmp( oc->oc_required[i], a->a_type, - SLAPI_TYPE_CMP_SUBTYPE ) == 0 ) { - break; - } - } - - /* not there => schema violation */ - if ( a == NULL ) { - char errtext[ BUFSIZ ]; - char ebuf[ BUFSIZ ]; - LDAPDebug( LDAP_DEBUG_ANY, - "Entry \"%s\" missing attribute \"%s\" required" - " by object class \"%s\"\n", - escape_string( slapi_entry_get_dn_const(e), ebuf ), - oc->oc_required[i], oc->oc_name); - if (pb) { - PR_snprintf( errtext, sizeof( errtext ), - "missing attribute \"%s\" required" - " by object class \"%s\"\n", - oc->oc_required[i], oc->oc_name ); - slapi_pblock_set( pb, SLAPI_PB_RESULT_TEXT, errtext ); - } - rc = 1; /* failure */ - } + if ( slapi_attr_type_cmp( oc->oc_required[i], a->a_type, + SLAPI_TYPE_CMP_SUBTYPE ) == 0 ) { + break; + } + } + + /* not there => schema violation */ + if ( a == NULL ) { + char errtext[ BUFSIZ ]; + char ebuf[ BUFSIZ ]; + LDAPDebug( LDAP_DEBUG_ANY, + "Entry \"%s\" missing attribute \"%s\" required" + " by object class \"%s\"\n", + escape_string( slapi_entry_get_dn_const(e), ebuf ), + oc->oc_required[i], oc->oc_name); + if (pb) { + PR_snprintf( errtext, sizeof( errtext ), + "missing attribute \"%s\" required" + " by object class \"%s\"\n", + oc->oc_required[i], oc->oc_name ); + slapi_pblock_set( pb, SLAPI_PB_RESULT_TEXT, errtext ); + } + rc = 1; /* failure */ + } } return rc; @@ -1392,8 +1392,8 @@ schema_list_attributes_callback(struct asyntaxinfo *asi, void *arg) } /* Return the list of attributes names matching attribute flags */ - -char ** slapi_schema_list_attribute_names(unsigned long flag) +char ** +slapi_schema_list_attribute_names(unsigned long flag) { struct listargs aew; memset(&aew,0,sizeof(struct listargs)); @@ -4966,3 +4966,69 @@ slapi_reload_schema_files(char *schemadir) return LDAP_LOCAL_ERROR; } } + +/* + * slapi_schema_list_objectclass_attributes: + * Return the list of attributes belonging to the objectclass + * + * The caller is responsible to free the returned list with charray_free. + * flags: one of them or both: + * SLAPI_OC_FLAG_REQUIRED + * SLAPI_OC_FLAG_ALLOWED + */ +char ** +slapi_schema_list_objectclass_attributes(const char *ocname_or_oid, + PRUint32 flags) +{ + struct objclass *oc = NULL; + char **attrs = NULL; + PRUint32 mask = SLAPI_OC_FLAG_REQUIRED | SLAPI_OC_FLAG_ALLOWED; + + if (!flags) { + return attrs; + } + + oc_lock_read(); + oc = oc_find_nolock(ocname_or_oid); + if (oc) { + switch (flags & mask) { + case SLAPI_OC_FLAG_REQUIRED: + attrs = charray_dup(oc->oc_required); + break; + case SLAPI_OC_FLAG_ALLOWED: + attrs = charray_dup(oc->oc_allowed); + break; + case SLAPI_OC_FLAG_REQUIRED|SLAPI_OC_FLAG_ALLOWED: + attrs = charray_dup(oc->oc_required); + charray_merge(&attrs, oc->oc_allowed, 1/*copy_strs*/); + break; + default: + slapi_log_error( SLAPI_LOG_FATAL, "list objectclass attributes", + "flag 0x%x not supported\n", flags ); + break; + } + } + oc_unlock(); + return attrs; +} + +/* + * slapi_schema_get_superior_name: + * Return the name of the superior objectclass + * + * The caller is responsible to free the returned name + */ +char * +slapi_schema_get_superior_name(const char *ocname_or_oid) +{ + struct objclass *oc = NULL; + char *superior = NULL; + + oc_lock_read(); + oc = oc_find_nolock(ocname_or_oid); + if (oc) { + superior = slapi_ch_strdup(oc->oc_superior); + } + oc_unlock(); + return superior; +} |