|
||
|
||
|
||
|
||
|
||
|
||
|
||
firstyear commented 5 years ago | ||
mhonek commented 5 years ago Well, for some reason, with the 'allow' rule before, although the 'modifiersName' was not mentioned in it it was present in the result (which it should be not) - I guess some implicit rules took place. | ||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Bug Description:
Test suites/filter/rfc3673_all_oper_attrs_test.py::test_search_basic
does not reach constraints extensively. The asserts are too
benevolent.
The commit 6ef4eb5 changed 'normal user' ACIs, however these changes
introduced new attr 'modifiersName' which was supposed to be missing
when searching.
In the first case, assert checks only for 'objectClass' and
pseudo-randomly one more attr to be present which is not sufficient.
In the second case, recently changed assert introduced weaker check
than the one present before.
Fix Description:
Bring back previous ACI to explicitly test the difference when binding
as normal user and the DM.
In case of add_attr == '*', test for all expected_attrs to be in
found_attrs. In the other case bring back the strict comparison as
there used to be before.
https://pagure.io/389-ds-base/issue/49943
Author: mhonek
Review by: ???
We shouldn't be using deny ACI's anyway, they should just be "lack of an allow" ... even in tests.