- rs->sr_err = access_allowed( op, e,
- op->oq_compare.rs_ava->aa_desc, &op->oq_compare.rs_ava->aa_value, ACL_COMPARE, NULL );
- if ( ! rs->sr_err ) {
- rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
+ if ( get_assert( op ) &&
+ ( test_filter( op, e, get_assertion( op )) != LDAP_COMPARE_TRUE ))
+ {
+#ifdef SLAP_ACL_HONOR_DISCLOSE
+ if ( !access_allowed( op, e, slap_schema.si_ad_entry,
+ NULL, ACL_DISCLOSE, NULL ) )
+ {
+ rs->sr_err = LDAP_NO_SUCH_OBJECT;
+ } else
+#endif /* SLAP_ACL_HONOR_DISCLOSE */
+ {
+ rs->sr_err = LDAP_ASSERTION_FAILED;
+ }
+ goto return_results;
+ }
+
+ if ( !access_allowed( op, e, op->oq_compare.rs_ava->aa_desc,
+ &op->oq_compare.rs_ava->aa_value, ACL_COMPARE, NULL ) )
+ {
+#ifdef SLAP_ACL_HONOR_DISCLOSE
+ /* return error only if "disclose"
+ * is granted on the object */
+ if ( !access_allowed( op, e, slap_schema.si_ad_entry,
+ NULL, ACL_DISCLOSE, NULL ) )
+ {
+ rs->sr_err = LDAP_NO_SUCH_OBJECT;
+ } else
+#endif /* SLAP_ACL_HONOR_DISCLOSE */
+ {
+ rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
+ }