Radovan Semancik wrote:
On 02/22/2016 04:07 PM, Michael Ströder wrote:
The problem are operations that add and remove the same value at the same time.
Of course a second user interacting with your UI could revert the changes made by a first user. There's nothing you could do about that.
Exactly.
Or operations that replace the values. But the attributeOrValueExists error is not going to help here.
We have to distinguish various write operations in detail: attributeOrValueExists (for MOD_ADD) and its counterpart noSuchAttribute (for MOD_DELETE) solely helps if your modify request only contains *single* attribute values.
Not even in that case. E.g. see above. You will not get the error if you are re-adding a group that was deleted just a millisecond ago just because the network latencies haven't turned up in your favor.
So, the implication "error => something wrong happened" does not hold. And the implication "something wrong happened => error" does not hold either. So, what the error really says is:
"Hey there! Maybe something wrong happened. Or maybe not. It may all be OK. There is no way to be sure. So forget it. I just wanted to talk to you. Sorry to bother you. And, by the way, your operation failed. Just for fun. Try something else. I won't tell you what. Go figure. Bye."
How useful is that?
I think we mostly agree on the general issues.
But we agree to disagree whether permissive modify control is part of a solution or will mask serious security issues. Personally I prefer to let problems/error happen and then explicitly ignore them if I'm 100% sure it's ok. So personally I wouldn't use permissive modify control. YMMV.
Correct. But this specific thing will not help you. Because the error may happen when everything is OK. And even worse: it might NOT happen if there is a real problem. Relying on that error makes no sense. And in fact it might be even dangerous. This is a bad trade-off. Very bad.
Your logic is flawed: "Just because you may not get an error message when something bad has happened, we want to *never* get an error message when something bad has happened."
Automated or not, large scale distributed or not, if two administrators are making overlapping changes to a single user's privileges at the same time, you have a broken system.
There's a relevant joke "A man with two watches never knows what time it is."
If you don't have distinctly delegated administration zones, and you allow multiple admins to independently operate on the same population of users, you can *never* know if your security definitions are correct. Error messages of this nature are a clear indication that your delegations are broken.