SLAP_ACI_SCOPE_SUBTREE = ( SLAP_ACI_SCOPE_ENTRY | SLAP_ACI_SCOPE_CHILDREN )
} slap_aci_scope_t;
-static AccessControl * acl_get(
+static AccessControl * slap_acl_get(
AccessControl *ac, int *count,
Operation *op, Entry *e,
AttributeDescription *desc,
int nmatch, regmatch_t *matches,
AccessControlState *state );
-static slap_control_t acl_mask(
+static slap_control_t slap_acl_mask(
AccessControl *ac, slap_mask_t *mask,
Operation *op, Entry *e,
AttributeDescription *desc,
* the whole attribute is assumed (all values).
*
* This routine loops through all access controls and calls
- * acl_mask() on each applicable access control.
+ * slap_acl_mask() on each applicable access control.
* The loop exits when a definitive answer is reached or
* or no more controls remain.
*
return 1;
}
-static int
+int
slap_access_allowed(
Operation *op,
Entry *e,
memset( matches, '\0', sizeof( matches ) );
}
- while ( ( a = acl_get( a, &count, op, e, desc, val,
+ while ( ( a = slap_acl_get( a, &count, op, e, desc, val,
MAXREMATCHES, matches, state ) ) != NULL )
{
int i;
( state->as_recorded & ACL_STATE_RECORDED_NV ) )
{
Debug( LDAP_DEBUG_ACL,
- "slap_access_allowed: result from state (%s)\n",
+ "=> slap_access_allowed: result from state (%s)\n",
attr, 0, 0 );
ret = state->as_result;
goto done;
} else {
Debug( LDAP_DEBUG_ACL,
- "slap_access_allowed: no res from state (%s)\n",
+ "=> slap_access_allowed: no res from state (%s)\n",
attr, 0, 0 );
}
}
vd_access:
- control = acl_mask( a, &mask, op,
+ control = slap_acl_mask( a, &mask, op,
e, desc, val, MAXREMATCHES, matches, count, state );
if ( control != ACL_BREAK ) {
}
assert( op->o_bd != NULL );
- /* delegate to backend */
- if ( op->o_bd->bd_info->bi_access_allowed != NULL ) {
- bi_access_allowed = op->o_bd->bd_info->bi_access_allowed;
+ /* this is enforced in backend_add() */
+ if ( op->o_bd->bd_info->bi_access_allowed ) {
+ /* delegate to backend */
+ ret = op->o_bd->bd_info->bi_access_allowed( op, e, desc, val, access, state, &mask );
+
} else {
- bi_access_allowed = slap_access_allowed;
+ /* use default */
+ ret = slap_access_allowed( op, e, desc, val, access, state, &mask );
}
- ret = bi_access_allowed( op, e, desc, val, access, state, &mask );
+
if ( !ret ) {
if ( ACL_IS_INVALID( mask ) ) {
Debug( LDAP_DEBUG_ACL,
memset( matches, '\0', sizeof(matches) );
}
- while ( ( a = acl_get( a, &count, op, e, desc, val,
+ while ( ( a = slap_acl_get( a, &count, op, e, desc, val,
MAXREMATCHES, matches, state ) ) != NULL )
{
int i;
}
vd_access:
- control = acl_mask( a, &mask, op,
+ control = slap_acl_mask( a, &mask, op,
e, desc, val, MAXREMATCHES, matches, count, state );
if ( control != ACL_BREAK ) {
#endif /* SLAP_OVERLAY_ACCESS */
/*
- * acl_get - return the acl applicable to entry e, attribute
+ * slap_acl_get - return the acl applicable to entry e, attribute
* attr. the acl returned is suitable for use in subsequent calls to
* acl_access_allowed().
*/
static AccessControl *
-acl_get(
+slap_acl_get(
AccessControl *a,
int *count,
Operation *op,
if( state && !( state->as_recorded & ACL_STATE_RECORDED_VD )) {
state->as_recorded |= ACL_STATE_RECORDED_VD;
- state->as_vd_acl = prev;
+ state->as_vd_acl = a;
state->as_vd_acl_count = *count;
state->as_vd_access = a->acl_access;
state->as_vd_access_count = 1;
if ( a->acl_attrs[0].an_desc->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName ) {
if (value_match( &match, desc,
- desc->ad_type->sat_equality, 0,
+ /* desc->ad_type->sat_equality */ a->acl_attrval_mr, 0,
val, &a->acl_attrval, &text ) != LDAP_SUCCESS ||
match )
continue;
if ( vdnlen < patlen )
continue;
- if ( a->acl_dn_style == ACL_STYLE_BASE ) {
+ if ( a->acl_attrval_style == ACL_STYLE_BASE ) {
if ( vdnlen > patlen )
continue;
- } else if ( a->acl_dn_style == ACL_STYLE_ONE ) {
+ } else if ( a->acl_attrval_style == ACL_STYLE_ONE ) {
int rdnlen = -1;
if ( !DN_SEPARATOR( val->bv_val[vdnlen - patlen - 1] ) )
if ( rdnlen != vdnlen - patlen - 1 )
continue;
- } else if ( a->acl_dn_style == ACL_STYLE_SUBTREE ) {
+ } else if ( a->acl_attrval_style == ACL_STYLE_SUBTREE ) {
if ( vdnlen > patlen && !DN_SEPARATOR( val->bv_val[vdnlen - patlen - 1] ) )
continue;
- } else if ( a->acl_dn_style == ACL_STYLE_CHILDREN ) {
+ } else if ( a->acl_attrval_style == ACL_STYLE_CHILDREN ) {
if ( vdnlen <= patlen )
continue;
/*
- * acl_mask - modifies mask based upon the given acl and the
+ * slap_acl_mask - modifies mask based upon the given acl and the
* requested access to entry e, attribute attr, value val. if val
* is null, access to the whole attribute is assumed (all values).
*
*/
static slap_control_t
-acl_mask(
+slap_acl_mask(
AccessControl *a,
slap_mask_t *mask,
Operation *op,
continue;
}
- /* this could be improved by changing acl_mask so that it can deal with
+ /* this could be improved by changing slap_acl_mask so that it can deal with
* by clauses that return grant/deny pairs. Right now, it does either
* additive or subtractive rights, but not both at the same time. So,
* we need to combine the grant/deny pair into a single rights mask in
continue;
}
- /* this could be improved by changing acl_mask so that it can deal with
+ /* this could be improved by changing slap_acl_mask so that it can deal with
* by clauses that return grant/deny pairs. Right now, it does either
* additive or subtractive rights, but not both at the same time. So,
* we need to combine the grant/deny pair into a single rights mask in
}
for ( ; mlist != NULL; mlist = mlist->sml_next ) {
+ /*
+ * Internal mods are ignored by ACL_WRITE checking
+ */
+ if ( mlist->sml_flags & SLAP_MOD_INTERNAL ) {
+ Debug( LDAP_DEBUG_ACL, "acl: internal mod %s:"
+ " modify access granted\n",
+ mlist->sml_desc->ad_cname.bv_val, 0, 0 );
+ continue;
+ }
+
/*
* no-user-modification operational attributes are ignored
* by ACL_WRITE checking as any found here are not provided
if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
fprintf( stderr, "%s: line %d: "
"inappropriate style \"%s\" in \"aci\" by clause\n",
- fname, lineno, sty );
+ fname, lineno, style_strings[sty] );
return -1;
}
projects / openldap / blobdiff