* - can be legally called with op->o_bd == NULL
*/
-#ifdef LDAP_DEVEL
+#ifdef SLAP_OVERLAY_ACCESS
+int
+slap_access_always_allowed(
+ Operation *op,
+ Entry *e,
+ AttributeDescription *desc,
+ struct berval *val,
+ slap_access_t access,
+ AccessControlState *state,
+ slap_mask_t *maskp )
+{
+ assert( maskp );
-static int
+ ACL_PRIV_SET( *maskp, ACL_ACCESS2PRIV( access ) );
+
+ return 1;
+}
+
+int
slap_access_allowed(
Operation *op,
Entry *e,
} else {
if ( state ) state->as_vi_acl = NULL;
a = NULL;
- ACL_INIT( mask );
+ ACL_PRIV_ASSIGN( mask, *maskp );
count = 0;
memset( matches, '\0', sizeof( matches ) );
}
( state->as_recorded & ACL_STATE_RECORDED_NV ) )
{
Debug( LDAP_DEBUG_ACL,
- "slap_access_allowed: result from state (%s)\n",
+ "=> slap_access_allowed: result from state (%s)\n",
attr, 0, 0 );
ret = state->as_result;
goto done;
} else {
Debug( LDAP_DEBUG_ACL,
- "slap_access_allowed: no res from state (%s)\n",
+ "=> slap_access_allowed: no res from state (%s)\n",
attr, 0, 0 );
}
}
Debug( LDAP_DEBUG_ACL,
"=> slap_access_allowed: \"%s\" (%s) invalid!\n",
e->e_dn, attr, 0 );
- ACL_INIT( mask );
+ ACL_PRIV_ASSIGN( mask, *maskp );
} else if ( control == ACL_BREAK ) {
Debug( LDAP_DEBUG_ACL,
goto done;
}
- ret = ACL_GRANT(mask, access);
+ ret = ACL_GRANT( mask, access );
Debug( LDAP_DEBUG_ACL,
"=> slap_access_allowed: %s access %s by %s\n",
accessmask2str( mask, accessmaskbuf, 1 ) );
done:
- ACL_PRIV_SET( *maskp, mask );
+ ACL_PRIV_ASSIGN( *maskp, mask );
return ret;
}
assert( access_level > ACL_NONE );
- ACL_INVALIDATE( mask );
+ ACL_INIT( mask );
if ( maskp ) ACL_INVALIDATE( *maskp );
attr = desc->ad_cname.bv_val;
}
if ( op->o_bd == NULL ) {
- op->o_bd = LDAP_STAILQ_FIRST(&backendDB);
+ op->o_bd = LDAP_STAILQ_FIRST( &backendDB );
be_null = 1;
+
#ifdef LDAP_DEVEL
/*
* FIXME: experimental; use first backend rules
if ( frontendDB->be_acl != NULL ) {
op->o_bd = frontendDB;
}
-#endif
+#endif /* LDAP_DEVEL */
}
assert( op->o_bd != NULL );
- /* delegate to backend */
- if ( op->o_bd->bd_info->bi_access_allowed != NULL ) {
- bi_access_allowed = op->o_bd->bd_info->bi_access_allowed;
+ /* this is enforced in backend_add() */
+ if ( op->o_bd->bd_info->bi_access_allowed ) {
+ /* delegate to backend */
+ ret = op->o_bd->bd_info->bi_access_allowed( op, e, desc, val, access, state, &mask );
+
} else {
- bi_access_allowed = slap_access_allowed;
+ /* use default */
+ ret = slap_access_allowed( op, e, desc, val, access, state, &mask );
}
- ret = bi_access_allowed( op, e, desc, val, access, state, &mask );
+
if ( !ret ) {
if ( ACL_IS_INVALID( mask ) ) {
Debug( LDAP_DEBUG_ACL,
"=> access_allowed: \"%s\" (%s) invalid!\n",
e->e_dn, attr, 0 );
- ACL_INIT(mask);
+ ACL_INIT( mask );
} else if ( control == ACL_BREAK ) {
Debug( LDAP_DEBUG_ACL,
return ret;
}
-#else /* !LDAP_DEVEL */
+#else /* !SLAP_OVERLAY_ACCESS */
+
int
access_allowed_mask(
Operation *op,
return ret;
}
-#endif /* LDAP_DEVEL */
+#endif /* SLAP_OVERLAY_ACCESS */
/*
* acl_get - return the acl applicable to entry e, attribute
if ( vdnlen < patlen )
continue;
- if ( a->acl_dn_style == ACL_STYLE_BASE ) {
+ if ( a->acl_attrval_style == ACL_STYLE_BASE ) {
if ( vdnlen > patlen )
continue;
- } else if ( a->acl_dn_style == ACL_STYLE_ONE ) {
+ } else if ( a->acl_attrval_style == ACL_STYLE_ONE ) {
int rdnlen = -1;
if ( !DN_SEPARATOR( val->bv_val[vdnlen - patlen - 1] ) )
if ( rdnlen != vdnlen - patlen - 1 )
continue;
- } else if ( a->acl_dn_style == ACL_STYLE_SUBTREE ) {
+ } else if ( a->acl_attrval_style == ACL_STYLE_SUBTREE ) {
if ( vdnlen > patlen && !DN_SEPARATOR( val->bv_val[vdnlen - patlen - 1] ) )
continue;
- } else if ( a->acl_dn_style == ACL_STYLE_CHILDREN ) {
+ } else if ( a->acl_attrval_style == ACL_STYLE_CHILDREN ) {
if ( vdnlen <= patlen )
continue;
"=> acl_mask: to %s by \"%s\", (%s) \n",
val ? "value" : "all values",
op->o_ndn.bv_val ? op->o_ndn.bv_val : "",
- accessmask2str( *mask, accessmaskbuf, 1) );
+ accessmask2str( *mask, accessmaskbuf, 1 ) );
if( state && ( state->as_recorded & ACL_STATE_RECORDED_VD )
projects / openldap / blobdiff