Fix memory leak.

[openldap] / servers / slapd / acl.c

diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index 628adee7b8d0111bf76eacce7249ce4c7d2d6363..31b1b80e9ca256c638bb4a4ab3809d6f7529609d 100644 (file)
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -22,7 +22,7 @@ static AccessControl * acl_get(
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
        AttributeDescription *desc,
 #else
-       const char *attr,
+       const char *desc,
 #endif
        int nmatches, regmatch_t *matches );
 
@@ -33,7 +33,7 @@ static slap_control_t acl_mask(
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
        AttributeDescription *desc,
 #else
-       const char *attr,
+       const char *desc,
 #endif
        struct berval *val,
        regmatch_t *matches );
@@ -46,16 +46,13 @@ static int aci_mask(
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
        AttributeDescription *desc,
 #else
-       const char *attr,
+       const char *desc,
 #endif
-       struct berval *val, struct berval *aci,
-       regmatch_t *matches, slap_access_t *grant, slap_access_t *deny );
-
-char *supportedACIMechs[] = {
-       "1.3.6.1.4.1.4203.666.7.1",     /* experimental IETF aci family */
-       "1.3.6.1.4.1.4203.666.7.2",     /* experimental OpenLDAP aci family */
-       NULL
-};
+       struct berval *val,
+       struct berval *aci,
+       regmatch_t *matches,
+       slap_access_t *grant,
+       slap_access_t *deny );
 #endif
 
 static int     regex_matches(
@@ -87,9 +84,9 @@ access_allowed(
     Operation          *op,
     Entry              *e,
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
-       AttributeDescription    *attr,
+       AttributeDescription    *desc,
 #else
-    const char         *attr,
+    const char         *desc,
 #endif
     struct berval      *val,
     slap_access_t      access )
@@ -102,6 +99,12 @@ access_allowed(
        slap_access_mask_t mask;
        slap_control_t control;
 
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+       const char *attr = desc ? desc->ad_cname->bv_val : NULL;
+#else
+    const char *attr = desc;
+#endif
+
        regmatch_t       matches[MAXREMATCHES];
 
        Debug( LDAP_DEBUG_ACL,
@@ -128,7 +131,7 @@ access_allowed(
         * by the user
         */
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
-       if ( access >= ACL_WRITE && is_at_no_user_mod( attr->ad_type ) )
+       if ( access >= ACL_WRITE && is_at_no_user_mod( desc->ad_type ) )
 #else
        if ( access >= ACL_WRITE && oc_check_op_no_usermod_attr( attr ) )
 #endif
@@ -168,7 +171,7 @@ access_allowed(
        a = NULL;
        count = 0;
 
-       while( a = acl_get( a, &count, be, op, e, attr, MAXREMATCHES, matches ) )
+       while( a = acl_get( a, &count, be, op, e, desc, MAXREMATCHES, matches ) )
        {
                int i;
 
@@ -186,7 +189,7 @@ access_allowed(
                }
 
                control = acl_mask( a, &mask, be, conn, op,
-                       e, attr, val, matches );
+                       e, desc, val, matches );
 
                if ( control != ACL_BREAK ) {
                        break;
@@ -241,6 +244,12 @@ acl_get(
        assert( e != NULL );
        assert( count != NULL );
 
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+       attr = desc ? desc->ad_cname->bv_val : NULL;
+#else
+       attr = desc;
+#endif
+
        if( a == NULL ) {
                if( be == NULL ) {
                        a = global_acl;
@@ -254,12 +263,6 @@ acl_get(
                a = a->acl_next;
        }
 
-#ifdef SLAPD_SCHEMA_NOT_COMPAT
-       attr = desc->ad_cname->bv_val;
-#else
-       attr = desc;
-#endif
-
        for ( ; a != NULL; a = a->acl_next ) {
                (*count) ++;
 
@@ -320,9 +323,9 @@ acl_mask(
     Operation  *op,
     Entry              *e,
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
-       AttributeDescription *attr,
+       AttributeDescription *desc,
 #else
-    const char *attr,
+    const char *desc,
 #endif
     struct berval      *val,
        regmatch_t      *matches
@@ -333,6 +336,11 @@ acl_mask(
 #ifdef LDAP_DEBUG
        char accessmaskbuf[ACCESSMASK_MAXLEN];
 #endif
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+       const char *attr = desc ? desc->ad_cname->bv_val : NULL;
+#else
+       const char *attr = desc;
+#endif
 
        assert( a != NULL );
        assert( mask != NULL );
@@ -441,6 +449,13 @@ acl_mask(
                if ( b->a_dn_at != NULL && op->o_ndn != NULL ) {
                        Attribute       *at;
                        struct berval   bv;
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+                       int match;
+                       const char *text;
+                       const char *desc = b->a_dn_at->ad_cname->bv_val;
+#else
+                       const char *desc = b->a_dn_at;
+#endif
 
                        Debug( LDAP_DEBUG_ACL, "<= check a_dn_at: %s\n",
                                b->a_dn_at, 0, 0);
@@ -455,9 +470,29 @@ acl_mask(
                                at = attrs_find( e->e_attrs->a_next, b->a_dn_at ) )
                        {
                                if( value_find( b->a_dn_at, at->a_vals, &bv ) == 0 ) {
+                                       /* found it */
+                                       match = 1;
+                                       break;
                                }
                        }
 
+                       if( match ) {
+                               if ( b->a_dn_self && (val == NULL
+                                       || value_match( &match, b->a_dn_at,
+                                               b->a_dn_at->ad_type->sat_equality, val, &bv, &text ) )
+                                               != LDAP_SUCCESS
+                                       || match )
+                               {
+                                       continue;
+                               }
+                       } else if ( ! b->a_dn_self || val == NULL
+                               || value_match( &match, b->a_dn_at,
+                                       b->a_dn_at->ad_type->sat_equality, val, &bv, &text )
+                                       != LDAP_SUCCESS
+                               || match )
+                       {
+                               continue;
+                       }
 #else
                        /* see if asker is listed in dnattr */
                        if ( (at = attr_find( e->e_attrs, b->a_dn_at )) != NULL &&
@@ -540,7 +575,7 @@ acl_mask(
                         */
                        for ( i = 0; at->a_vals[i] != NULL; i++ ) {
                                if (aci_mask( be, op,
-                                       e, attr, val, at->a_vals[i],
+                                       e, desc, val, at->a_vals[i],
                                        matches, &grant, &deny ) != 0)
                                {
                                        tgrant |= grant;
@@ -1087,12 +1122,6 @@ aci_mask(
        /* check that the aci family is supported */
        if (aci_get_part(aci, 0, '#', &bv) < 0)
                return(0);
-       for (i = 0; supportedACIMechs[i] != NULL; i++) {
-               if (aci_strbvcmp( supportedACIMechs[i], &bv ) == 0)
-                       break;
-       }
-       if (supportedACIMechs[i] == NULL)
-               return(0);
 
        /* check that the scope is "entry" */
        if (aci_get_part(aci, 1, '#', &bv) < 0
@@ -1190,15 +1219,6 @@ aci_mask(
        return(0);
 }
 
-char *
-get_supported_acimech(
-       int index )
-{
-       if (index < 0 || index >= (sizeof(supportedACIMechs) / sizeof(char *)))
-               return(NULL);
-       return(supportedACIMechs[index]);
-}
-
 #endif /* SLAPD_ACI_ENABLED */
 
 static void