From 3310dfa1b7cc4f5fce247eb02a65055b64bb5227 Mon Sep 17 00:00:00 2001
From: Jeff Burke <Jeff.Burke@nrc-cnrc.gc.ca>
Date: Tue, 16 Sep 2014 12:20:35 -0700
Subject: [PATCH] s1651: for add group check creator is group owner

---
 .../nrc/cadc/ac/server/ldap/LdapGroupDAO.java   | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapGroupDAO.java b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapGroupDAO.java
index ac540a0a..edd396bb 100755
--- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapGroupDAO.java
+++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapGroupDAO.java
@@ -102,6 +102,7 @@ import com.unboundid.ldap.sdk.SearchResult;
 import com.unboundid.ldap.sdk.SearchResultEntry;
 import com.unboundid.ldap.sdk.SearchScope;
 import com.unboundid.ldap.sdk.controls.ProxiedAuthorizationV2RequestControl;
+import java.util.logging.Level;
 
 public class LdapGroupDAO<T extends Principal> extends LdapDAO
 {
@@ -150,6 +151,22 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
             throw new IllegalArgumentException("Group owner must be specified");
         }
         
+        try
+        {
+            User<X500Principal> subjectUser = 
+                    userPersist.getMember(getSubjectDN());
+            if (!subjectUser.equals(group.getOwner()))
+            {
+                throw new AccessControlException("Group owner must be group " + 
+                                                 " creator");
+            }
+        }
+        catch (LDAPException e)
+        {
+            e.printStackTrace();
+            throw new RuntimeException(e);
+        }
+        
         try
         {
             getGroup(group.getID());
-- 
GitLab