public void modify( NextInterceptor next, ModifyOperationContext opContext ) throws Exception
{
DN name = opContext.getDn();
// Access the principal requesting the operation, and bypass checks if it is the admin
ClonedServerEntry entry = opContext.lookup( name, ByPassConstants.LOOKUP_BYPASS );
LdapPrincipal principal = opContext.getSession().getEffectivePrincipal();
DN principalDn = principal.getClonedName();
// bypass authz code if we are disabled
if ( !opContext.getSession().getDirectoryService().isAccessControlEnabled() )
{
next.modify( opContext );
return;
}
List<Modification> mods = opContext.getModItems();
// bypass authz code but manage caches if operation is performed by the admin
if ( isPrincipalAnAdministrator( principalDn ) )
{
next.modify( opContext );
/**
* @TODO: A virtual entry can be created here for not hitting the backend again.
*/
ServerEntry modifiedEntry = opContext.lookup( name, ByPassConstants.LOOKUP_BYPASS );
tupleCache.subentryModified( name, mods, modifiedEntry );
groupCache.groupModified( name, mods, entry, schemaManager );
return;
}
Set<DN> userGroups = groupCache.getGroups( principalDn.getNormName() );
Collection<ACITuple> tuples = new HashSet<ACITuple>();
addPerscriptiveAciTuples( opContext, tuples, name, entry.getOriginalEntry() );
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( opContext, tuples, name, entry );
engine.checkPermission( schemaManager, opContext, userGroups, principalDn,
principal.getAuthenticationLevel(), name, null, null,
Collections.singleton( MicroOperation.MODIFY ), tuples, entry, null );
Collection<MicroOperation> perms = null;
ServerEntry entryView = ( ServerEntry ) entry.clone();
for ( Modification mod : mods )
{
ServerAttribute attr = (ServerAttribute)mod.getAttribute();
switch ( mod.getOperation() )
{
case ADD_ATTRIBUTE :
perms = ADD_PERMS;
// If the attribute is being created with an initial value ...
if ( entry.get( attr.getId() ) == null )
{
// ... we also need to check if adding the attribute is permitted
engine.checkPermission( schemaManager, opContext, userGroups, principalDn, principal.getAuthenticationLevel(), name,
attr.getId(), null, perms, tuples, entry, null );
}
break;
case REMOVE_ATTRIBUTE :
perms = REMOVE_PERMS;
EntryAttribute entryAttr = entry.get( attr.getId() );
if ( entryAttr != null )
{
// If there is only one value remaining in the attribute ...
if ( entryAttr.size() == 1 )