/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2010 The OpenLDAP Foundation.
+ * Copyright 1998-2012 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
AccessControlState *state );
static slap_control_t slap_acl_mask(
- AccessControl *ac, slap_mask_t *mask,
+ AccessControl *ac,
+ AccessControl *prev,
+ slap_mask_t *mask,
Operation *op, Entry *e,
AttributeDescription *desc,
struct berval *val,
{
int ret = 1;
int count;
- AccessControl *a = NULL;
+ AccessControl *a, *prev;
#ifdef LDAP_DEBUG
char accessmaskbuf[ACCESSMASK_MAXLEN];
state = &acl_state;
if ( state->as_desc == desc &&
state->as_access == access &&
- state->as_vd_acl != NULL )
+ state->as_vd_acl_present )
{
a = state->as_vd_acl;
count = state->as_vd_acl_count;
}
MATCHES_MEMSET( &matches );
+ prev = a;
while ( ( a = slap_acl_get( a, &count, op, e, desc, val,
&matches, &mask, state ) ) != NULL )
Debug( LDAP_DEBUG_ACL, "\n", 0, 0, 0 );
}
- control = slap_acl_mask( a, &mask, op,
+ control = slap_acl_mask( a, prev, &mask, op,
e, desc, val, &matches, count, state, access );
if ( control != ACL_BREAK ) {
}
MATCHES_MEMSET( &matches );
+ prev = a;
}
if ( ACL_IS_INVALID( mask ) ) {
if ( state->as_desc == desc &&
state->as_access == access &&
state->as_result != -1 &&
- state->as_vd_acl == NULL )
+ !state->as_vd_acl_present )
{
Debug( LDAP_DEBUG_ACL,
"=> access_allowed: result was in cache (%s)\n",
continue;
}
- if ( state->as_vd_acl == NULL ) {
+ if ( !state->as_vd_acl_present ) {
+ state->as_vd_acl_present = 1;
state->as_vd_acl = prev;
state->as_vd_acl_count = *count - 1;
ACL_PRIV_ASSIGN ( state->as_vd_mask, *mask );
* Record value-dependent access control state
*/
#define ACL_RECORD_VALUE_STATE do { \
- if( state && state->as_vd_acl == NULL ) { \
- state->as_vd_acl = a; \
- state->as_vd_acl_count = count; \
+ if( state && !state->as_vd_acl_present ) { \
+ state->as_vd_acl_present = 1; \
+ state->as_vd_acl = prev; \
+ state->as_vd_acl_count = count - 1; \
ACL_PRIV_ASSIGN( state->as_vd_mask, *mask ); \
} \
} while( 0 )
if ( ! bdn->a_self )
return 1;
- ACL_RECORD_VALUE_STATE;
-
/* this is a self clause, check if the target is an
* attribute.
*/
static slap_control_t
slap_acl_mask(
AccessControl *a,
+ AccessControl *prev,
slap_mask_t *mask,
Operation *op,
Entry *e,
ACL_INVALIDATE( modmask );
+ /* check for the "self" modifier in the <access> field */
+ if ( b->a_dn.a_self ) {
+ const char *dummy;
+ int rc, match = 0;
+
+ ACL_RECORD_VALUE_STATE;
+
+ /* must have DN syntax */
+ if ( desc->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName &&
+ !is_at_syntax( desc->ad_type, SLAPD_NAMEUID_SYNTAX )) continue;
+
+ /* check if the target is an attribute. */
+ if ( val == NULL ) continue;
+
+ /* a DN must be present */
+ if ( BER_BVISEMPTY( &op->o_ndn ) ) {
+ continue;
+ }
+
+ /* target is attribute, check if the attribute value
+ * is the op dn.
+ */
+ rc = value_match( &match, desc,
+ desc->ad_type->sat_equality, 0,
+ val, &op->o_ndn, &dummy );
+ /* on match error or no match, fail the ACL clause */
+ if ( rc != LDAP_SUCCESS || match != 0 )
+ continue;
+ }
+
/* AND <who> clauses */
if ( !BER_BVISEMPTY( &b->a_dn_pat ) ) {
Debug( LDAP_DEBUG_ACL, "<= check a_dn_pat: %s\n",
}
}
- /* check for the "self" modifier in the <access> field */
- if ( b->a_dn.a_self ) {
- const char *dummy;
- int rc, match = 0;
-
- ACL_RECORD_VALUE_STATE;
-
- /* must have DN syntax */
- if ( desc->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName &&
- !is_at_syntax( desc->ad_type, SLAPD_NAMEUID_SYNTAX )) continue;
-
- /* check if the target is an attribute. */
- if ( val == NULL ) continue;
-
- /* a DN must be present */
- if ( BER_BVISEMPTY( &op->o_ndn ) ) {
- continue;
- }
-
- /* target is attribute, check if the attribute value
- * is the op dn.
- */
- rc = value_match( &match, desc,
- desc->ad_type->sat_equality, 0,
- val, &op->o_ndn, &dummy );
- /* on match error or no match, fail the ACL clause */
- if ( rc != LDAP_SUCCESS || match != 0 )
- continue;
- }
-
#ifdef SLAP_DYNACL
if ( b->a_dynacl ) {
slap_dynacl_t *da;
/* fall thru to check value to add */
case LDAP_MOD_ADD:
+ case SLAP_MOD_ADD_IF_NOT_PRESENT:
assert( mlist->sml_values != NULL );
+ if ( mlist->sml_op == SLAP_MOD_ADD_IF_NOT_PRESENT
+ && attr_find( e->e_attrs, mlist->sml_desc ) )
+ {
+ break;
+ }
+
for ( bv = mlist->sml_nvalues
? mlist->sml_nvalues : mlist->sml_values;
bv->bv_val != NULL; bv++ )
break;
case LDAP_MOD_DELETE:
+ case SLAP_MOD_SOFTDEL:
if ( mlist->sml_values == NULL ) {
if ( ! access_allowed( op, e,
mlist->sml_desc, NULL,
}
} else {
- assert( rs->sr_type == REP_RESULT );
+ switch ( rs->sr_type ) {
+ case REP_SEARCHREF:
+ case REP_INTERMEDIATE:
+ /* ignore */
+ break;
+
+ default:
+ assert( rs->sr_type == REP_RESULT );
+ break;
+ }
}
return 0;
projects / openldap / blobdiff