--On Saturday, January 13, 2007 1:36 PM -0800 Quanah Gibson-Mount
<quanah(a)stanford.edu> wrote:
--On Saturday, January 13, 2007 11:03 AM +0100 Pierangelo Masarati
<ando(a)sys-net.it> wrote:
> Using the rootdn to generate the list, and
> then check access to the list itself may not be correct, because the
> dynamic list could become a means to circumvent access control to the
> actual data; think of a case where the effective user has no privileges
> on the actual data, but has compare, or even read access to the
> dynamically generated list. Then, if the list were generated as rootdn,
> the user would be able to compare, or even read, on data that is a
> derivative of otherwise inaccessible data. I would consider this a
> violation of data integrity.
Oh, and much thanks for the patch. :) I'll give it a try here soon. ;)
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key:
http://www.stanford.edu/~quanah/pgp.html