adamwill / 389-ds-base

Forked from 389-ds-base 4 years ago
Clone

f4a76bb Ticket 49652 - DENY aci's are not handled properly

Authored and Committed by mreynolds 5 years ago
    Ticket 49652 - DENY aci's are not handled properly
    
    Bug Description:  There are really two issues here.  One, when a resource
                      is denied by a DENY aci the cached results for that resource
                      are not proprely set, and on the same connection if the same
                      operation repeated it will be allowed instead of denied because
                      the cache result was not proprely updated.
    
                      Two, if there are no ALLOW aci's on a resource, then we don't
                      check the deny rules, and resources that are restricted are
                      returned to the client.
    
    Fix Description:  For issue one, when an entry is denied access reset all the
                      attributes' cache results to DENIED as it's possible previously
                      evaluated aci's granted access to some of these attributes which
                      are still present in the acl result cache.
    
                      For issue two, if there are no ALLOW aci's on a resource but
                      there are DENY aci's, then set the aclpb state flags to
                      process DENY aci's
    
    https://pagure.io/389-ds-base/issue/49652
    
    Reviewed by: tbordaz & lkrispenz(Thanks!!)
    
    (cherry picked from commit 31ba1e793e3c61e2d9b29851a08e39a4fcaf4296)