|
|
ACL check to allow a user to search with a filter should be the following:
|
|
|
|
|
|
For each field used in the filter, check if there is an ACL with the exact same name in one of the tabs in the categories of all searched objectTypes.
|
|
|
If there is one (or several), the user need read rights on those in the searched base.
|
|
|
If there is none, the user need read rights on all fields from all tabs from all searched objectTypes in the searched base.
|
|
|
|
|
|
Limitations:
|
|
|
* This means a user with read rights on `fooBar` in `ou=a,dc=root` and `ou=b,dc=root` won’t be able so search for `(fooBar=a*)` in `dc=root`
|
|
|
* It may be slow to search for fields in all the tabs of all the categories, we may need an index to speed that up
|
|
|
* If a user miss a read right on a field/tab, he won’t be able to search on LDAP operational attribute which FD is not aware of |
|
|
\ No newline at end of file |