[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: sizelimit evaluated before ACLs?



On Wed, 2005-11-23 at 15:14 -0800, Howard Chu wrote:
>    
> It is the as-designed behavior. But you're right, the design is broken 
> here. Currently all sizelimit checking is done in the individual 
> backends,

This could be easily fixed: right now, backends just rely on the fact
they got to calling send_search_entry() to do sizelimit handling; we
should check if the entry was actually sent (and trusting the return
value of send_search_entry() would not work, because many callback
layers may intervene)...  I suspect we'd need to add a special internal
result code that says "ACLs prevented sending to client", sort of
SLAP_INSUFFICIENT_ACCESS.

> while the search ACLs are checked in the frontend. Checking in 
> the backends means there's a lot of redundant code; it should all be 
> moved into the frontend.
> 
> Such a change would break the pagedResults implementation in back-bdb. 
> But that's probably OK, since the pagedResults feature properly belongs 
> in the frontend as well.

That's on the long-term todo list...

p.




Ing. Pierangelo Masarati
Responsabile Open Solution

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------