Commit 3310dfa1 authored by Jeff Burke's avatar Jeff Burke
Browse files

s1651: for add group check creator is group owner

parent 47ab733e

projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapGroupDAO.java

+17 −0
Original line number Diff line number Diff line
@@ -102,6 +102,7 @@ import com.unboundid.ldap.sdk.SearchResult; 
import com.unboundid.ldap.sdk.SearchResultEntry;

import com.unboundid.ldap.sdk.SearchScope;

import com.unboundid.ldap.sdk.controls.ProxiedAuthorizationV2RequestControl;

import java.util.logging.Level;



public class LdapGroupDAO<T extends Principal> extends LdapDAO

{
@@ -150,6 +151,22 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO 
            throw new IllegalArgumentException("Group owner must be specified");

        }

        

        try

        {

            User<X500Principal> subjectUser = 

                    userPersist.getMember(getSubjectDN());

            if (!subjectUser.equals(group.getOwner()))

            {

                throw new AccessControlException("Group owner must be group " + 

                                                 " creator");

            }

        }

        catch (LDAPException e)

        {

            e.printStackTrace();

            throw new RuntimeException(e);

        }

        

        try

        {

            getGroup(group.getID());