aboutsummaryrefslogtreecommitdiffstats
path: root/ldap/test-user-acl.sh
diff options
context:
space:
mode:
Diffstat (limited to 'ldap/test-user-acl.sh')
-rwxr-xr-xldap/test-user-acl.sh87
1 files changed, 14 insertions, 73 deletions
diff --git a/ldap/test-user-acl.sh b/ldap/test-user-acl.sh
index 6983706..b3fd930 100755
--- a/ldap/test-user-acl.sh
+++ b/ldap/test-user-acl.sh
@@ -545,26 +545,21 @@ echo "Authenticated users, access to alias entries"
# * entry:
# =s for all
# +a if canCreateAlias
-# +rd if alias owner, domain owner or domain postmaster
-# +z (regular alias) if alias owner
-# +w (regular alias) if domain owner or domain postmaster
+# +zrd if alias owner, domain owner or domain postmaster
# * children:
# =0 for all
# * objectClass:
# =s for all
# * fva:
-# =rscd (reserved alias) if domain owner or domain postmaster
-# =wrscd (regular alias) if alias owner, domain owner or domain postmaster
+# =wrscd if alias owner, domain owner or domain postmaster
# * fripostMaildrop:
# =wrscd if alias owner, domain owner or domain postmaster
# * fripostIsStatusActive:
-# =rscd (reserved alias) if domain owner or domain postmaster
-# =wrscd (regular alias) if alias owner, domain owner or domain postmaster
+# =wrscd if alias owner, domain owner or domain postmaster
# * fripostOwner:
# =d for all
-# +rsc (reserved alias) if domain owner or domain postmaster
-# +rsc (regular alias) if alias owner, domain owner or domain postmaster
-# +w (regular alias) if domain owner or domain postmaster
+# +rsc if alias owner, domain owner or domain postmaster
+# +w if domain owner or domain postmaster
# * description:
# =wrscd if alias owner, domain owner or domain postmaster
@@ -590,70 +585,16 @@ msg "Have =s access to \"objectClass\""
usersD objectClass | isOK '=s' objectClass
[ $? -eq 0 ] || exit $?
-RESERVED_ATTRS="entry/delete
- fva/write
- fripostIsStatusActive/write"
-RESERVED_ATTRS2="fripostOwner/add fripostOwner/delete"
-ATTRS="entry/read entry/disclose
- fva/read fva/search fva/compare fva/disclose
+ATTRS="entry/delete entry/read entry/disclose
+ fva/write fva/read fva/search fva/compare fva/disclose
fripostMaildrop/add fripostMaildrop/delete fripostMaildrop/read fripostMaildrop/search fripostMaildrop/compare fripostMaildrop/disclose
- fripostIsStatusActive/read fripostIsStatusActive/search fripostIsStatusActive/compare fripostIsStatusActive/disclose
+ fripostIsStatusActive/write fripostIsStatusActive/read fripostIsStatusActive/search fripostIsStatusActive/compare fripostIsStatusActive/disclose
fripostOwner/read fripostOwner/compare fripostOwner/disclose
description/add description/delete description/read description/search description/compare description/disclose"
+ATTRSO="fripostOwner/add fripostOwner/delete"
-msg "Cannot delete/deactivate/change ownership of reserved aliases"
-for U in ${USERS}; do
- for A in ${ALIASES}; do
- DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
- LA="$(echo "${A}" | sed -re 's/^fva=(.*),fvd=[^,]+$/\1/')"
- [ "x${LA}" = "xabuse" -o "x${LA}" = "xpostmaster" ] && \
- checkACL "${U}" "${A}" ${RESERVED_ATTRS}
- done
-done | isOK 'DENIED$' entry
-[ $? -eq 0 ] || exit $?
-
-
-msg "Can delete/deactivate/change ownership of regular aliases (if alias Owner)"
-for U in ${USERS}; do
- for A in ${ALIASES}; do
- DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
- LA="$(echo "${A}" | sed -re 's/^fva=(.*),fvd=[^,]+$/\1/')"
- [ "x${LA}" != "xabuse" -a "x${LA}" != "xpostmaster" ] && \
- search -s base -b "${A},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \
- checkACL "${U}" "${A}" ${RESERVED_ATTRS}
- done
-done | isOK 'ALLOWED$' entry
-[ $? -eq 0 ] || exit $?
-
-
-msg "Can delete/deactivate/change ownership of regular aliases (if domain Owner)"
-for U in ${USERS}; do
- for A in ${ALIASES}; do
- DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
- LA="$(echo "${A}" | sed -re 's/^fva=(.*),fvd=[^,]+$/\1/')"
- [ "x${LA}" != "xabuse" -a "x${LA}" != "xpostmaster" ] && \
- search -s base -b "${DA},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \
- checkACL "${U}" "${A}" ${RESERVED_ATTRS} ${RESERVED_ATTRS2}
- done
-done | isOK 'ALLOWED$' entry
-[ $? -eq 0 ] || exit $?
-
-
-msg "Can delete/deactivate/change ownership of regular aliases (if domain Postmaster)"
-for U in ${USERS}; do
- for A in ${ALIASES}; do
- DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
- LA="$(echo "${A}" | sed -re 's/^fva=(.*),fvd=[^,]+$/\1/')"
- [ "x${LA}" != "xabuse" -a "x${LA}" != "xpostmaster" ] && \
- search -s base -b "${DA},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' && \
- checkACL "${U}" "${A}" ${RESERVED_ATTRS} ${RESERVED_ATTRS2}
- done
-done | isOK 'ALLOWED$' entry
-[ $? -eq 0 ] || exit $?
-
-
-msg "Can change destination (if alias Owner)"
+msg "Can edit alias (if alias Owner)"
for U in ${USERS}; do
for A in ${ALIASES}; do
search -s base -b "${A},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \
@@ -663,7 +604,7 @@ done | isOK 'ALLOWED$' entry read
[ $? -eq 0 ] || exit $?
-msg "Can change destination and create new aliases (if domain Owner)"
+msg "Can edit alias and create new aliases (if domain Owner)"
for U in ${USERS}; do
for A in ${ALIASES}; do
DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
@@ -674,7 +615,7 @@ done | isOK 'ALLOWED$' entry add
[ $? -eq 0 ] || exit $?
-msg "Can change destination and create new aliases (if domain Postmaster)"
+msg "Can edit alias and create new aliases (if domain Postmaster)"
for U in ${USERS}; do
for A in ${ALIASES}; do
DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
@@ -731,7 +672,7 @@ for U in ${USERS}; do
DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
search -s base -b "${DA},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX})
(fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \
- checkACL "${U}" "${A}" ${RESERVED_ATTRS2}
+ checkACL "${U}" "${A}" ${ATTRSO}
done
done | isOK 'DENIED$' fripostOwner add
[ $? -eq 0 ] || exit $?
@@ -744,7 +685,7 @@ for U in ${USERS}; do
search -s base -b "${A},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' || \
search -s base -b "${DA},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX})
(fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \
- checkACL "${U}" "${A}" ${RESERVED_ATTRS} ${ATTRS}
+ checkACL "${U}" "${A}" ${ATTRS} ${ATTRSO}
done
done | isOK 'DENIED$' entry delete
[ $? -eq 0 ] || exit $?