slapi_access_allowed() (Sun Java System Directory Server Enterprise Edition 6.2 Developer's Guide)

Sun Java System Directory Server Enterprise Edition 6.2 Developer's Guide

`slapi_access_allowed()`

Determines if the user requesting the current operation has the access rights to perform an operation on a given entry, attribute, or value.

Syntax

#include "slapi-plugin.h"
int slapi_access_allowed( Slapi_PBlock *pb, Slapi_Entry *e,
     char *attr, struct berval *val, int access );

Parameters

This function takes the following parameters:

pb: Parameter block passed into this function.
e: Entry for which you want to check the access rights.
attr: Attribute for which you want to check the access rights.
val: Pointer to the berval structure containing the value for which you want to check the access rights.
access: Type of access rights that you want to check. For example, to check for write access, pass SLAPI_ACL_WRITE as the value of this argument.

The value of the access argument can be one of the following:

SLAPI_ACL_ADD: Permission to add a specified entry.
SLAPI_ACL_COMPARE: Permission to compare the specified values of an attribute in an entry.
SLAPI_ACL_DELETE: Permission to delete a specified entry.
SLAPI_ACL_READ: Permission to read a specified attribute.
SLAPI_ACL_SEARCH: Permission to search on a specified attribute or value.
SLAPI_ACL_WRITE: Permission to write a specified attribute or value or permission to rename a specified entry.

Returns

This function returns one of the following values:

LDAP_SUCCESS if the user has the specified rights to the entry, attribute, or value.
LDAP_INSUFFICIENT_ACCESS if the user does not have the specified rights to the entry, attribute, or value.
If a problem occurs during processing, the function will return one of the following error codes:

LDAP_OPERATIONS_ERROR

An error occurred while executing the operation.

This error can occur if, for example, the type of access rights specified are not recognized by the server. In other words, you did not pass a value from the previous table.

LDAP_INVALID_SYNTAX

Invalid syntax was specified.

This error can occur if the ACL associated with an entry, attribute, or value uses the wrong syntax.

LDAP_UNWILLING_TO_PERFORM

The DSA (this Directory Server instance) is unable to perform the specified operation.

This error can occur if, for example, you are requesting write access to a read-only database.

Description

Call this function to determine if a user has access rights to a specified entry, attribute, or value. The function performs this check for users who request the operation that invokes this plug-in.

For example, suppose you are writing a preoperation plug-in for the add operation. You can call this function to determine if users have the proper access rights before they can add an entry to the directory.

As part of the process of determining if the user has access rights, this function does the following:

Checks if the user requesting the operation is the root DN.

If so, the function returns LDAP_SUCCESS. (The root DN has permission to perform any operation.)
Gets information about the operation being requested, the connection to the client, and the backend database where directory information is stored.
- If for some reason the function cannot determine which operation is being requested, the function returns LDAP_OPERATIONS_ERROR.
- If no connection to a client exists— in other words, if the request for the operation was made by the server or its backend— the function returns LDAP_SUCCESS. (The server and its backend are not restricted by access control lists.)
- If the backend database is read-only and the request is checking for write access (SLAPI_ACL_WRITE), the function returns LDAP_UNWILLING_TO_PERFORM.
Determines if the user requesting the operation is attempting to modify his or her own entry.

ACLs can be set up to allow users the rights to modify their own entries. The function checks for this condition.

The caller must ensure that the backend specified in the parameter block is set prior to calling this function. For example:
```
be = slapi_be_select(slapi_entry_get_sdn_const(seObjectEntry));
if (NULL == be) {
    cleanup("backend selection failed for entry: \"%s\"\n", szObjectDN);
    slapi_send_ldap_result(pb,LDAP_NO_SUCH_OBJECT,NULL,
        "Obj not found",0,NULL);
    return(SLAPI_PLUGIN_EXTENDED_SENT_RESULT);
}

slapi_pblock_set(pb, SLAPI_BACKEND, be);
nAccessResult =
    slapi_access_allowed(pb,seObjectEntry,"*",bval,SLAPI_ACL_DELETE);
```