fix substring_comp_candidates logic if intersection of candidates

[openldap] / servers / slapd / acl.c

diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index 85cdda55152c974db148e163e54c83f021c4ad56..6dcdcd50870b045a946c60aa459b3cee572dbfd4 100644 (file)
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -55,7 +55,7 @@ access_allowed(
                e->e_dn, attr, 0 );
 
        /* the lastmod attributes are ignored by ACL checking */
-       if ( oc_check_operational( attr ) ) {
+       if ( oc_check_no_usermod_attr( attr ) ) {
                Debug( LDAP_DEBUG_ACL, "Operational attribute: %s access allowed\n",
                        attr, 0, 0 );
                return(1);
@@ -212,7 +212,6 @@ acl_access_allowed(
 )
 {
        int             i;
-       char            *odn;
        struct access   *b;
        Attribute       *at;
        struct berval   bv;
@@ -244,11 +243,9 @@ acl_access_allowed(
                return( default_access >= access );
        }
 
-       odn = op->o_ndn;
-
-       if ( odn != NULL ) {
-               bv.bv_val = odn;
-               bv.bv_len = strlen( odn );
+       if ( op->o_ndn != NULL ) {
+               bv.bv_val = op->o_ndn;
+               bv.bv_len = strlen( bv.bv_val );
        }
 
        for ( i = 1, b = a->acl_access; b != NULL; b = b->a_next, i++ ) {
@@ -260,7 +257,17 @@ acl_access_allowed(
                         * user is bound as somebody in the same namespace as
                         * the entry, OR the given dn matches the dn pattern
                         */
-                       if ( strcasecmp( b->a_dnpat, "self" ) == 0 && 
+                       if ( strcasecmp( b->a_dnpat, "anonymous" ) == 0 && 
+                               (op->o_ndn == NULL || *(op->o_ndn) == '\0' ) ) 
+                       {
+                               Debug( LDAP_DEBUG_ACL,
+                               "<= acl_access_allowed: matched by clause #%d access %s\n",
+                                   i, ACL_GRANT(b->a_access, access)
+                                               ? "granted" : "denied", 0 );
+
+                               return ACL_GRANT(b->a_access, access );
+
+                       } else if ( strcasecmp( b->a_dnpat, "self" ) == 0 && 
                                op->o_ndn != NULL && *(op->o_ndn) && e->e_dn != NULL ) 
                        {
                                if ( strcmp( edn, op->o_ndn ) == 0 ) {
@@ -272,7 +279,7 @@ acl_access_allowed(
                                        return ACL_GRANT(b->a_access, access );
                                }
                        } else {
-                               if ( regex_matches( b->a_dnpat, odn, edn, matches ) ) {
+                               if ( regex_matches( b->a_dnpat, op->o_ndn, edn, matches ) ) {
                                        Debug( LDAP_DEBUG_ACL,
                                    "<= acl_access_allowed: matched by clause #%d access %s\n",
                                    i, ACL_GRANT(b->a_access, access)
@@ -343,7 +350,7 @@ acl_access_allowed(
 
                        return ACL_GRANT(b->a_access, access );
                }
-#ifdef SLAPD_ACLGROUPS
+
                if ( b->a_group != NULL && op->o_ndn != NULL ) {
                        char buf[1024];
 
@@ -355,7 +362,7 @@ acl_access_allowed(
                        string_expand(buf, sizeof(buf), b->a_group, edn, matches);
                        (void) dn_normalize_case(buf);
 
-                       if (backend_group(be, e, buf, odn,
+                       if (backend_group(be, e, buf, op->o_ndn,
                                b->a_group_oc, b->a_group_at) == 0)
                        {
                                Debug( LDAP_DEBUG_ACL,
@@ -364,7 +371,6 @@ acl_access_allowed(
                                return ACL_GRANT(b->a_access, access );
                        }
                }
-#endif /* SLAPD_ACLGROUPS */
        }
 
        Debug( LDAP_DEBUG_ACL,
@@ -399,7 +405,7 @@ acl_check_modlist(
                regmatch_t       matches[MAXREMATCHES];
 
                /* the lastmod attributes are ignored by ACL checking */
-               if ( oc_check_operational( mlist->ml_type ) ) {
+               if ( oc_check_no_usermod_attr( mlist->ml_type ) ) {
                        Debug( LDAP_DEBUG_ACL, "Operational attribute: %s access allowed\n",
                                mlist->ml_type, 0, 0 );
                        continue;
@@ -512,6 +518,8 @@ regex_matches(
        char newbuf[512];
        int     rc;
 
+       if(str == NULL) str = "";
+
        string_expand(newbuf, sizeof(newbuf), pat, buf, matches);
        if (( rc = regcomp(&re, newbuf, REG_EXTENDED|REG_ICASE))) {
                char error[512];