ITS#1991 fix + use struct berval

[openldap] / servers / slapd / acl.c

diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index c99695b603b77e75b45a06e2502c8fdd02837a4f..fdb4cd1b6375ef892079f9eda457a4c10066b701 100644 (file)
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -28,6 +28,7 @@ static struct berval
        aci_bv_br_all           = BER_BVC("[all]"),
        aci_bv_access_id        = BER_BVC("access-id"),
        aci_bv_anonymous        = BER_BVC("anonymous"),
+       aci_bv_public           = BER_BVC("public"),
        aci_bv_users            = BER_BVC("users"),
        aci_bv_self             = BER_BVC("self"),
        aci_bv_dnattr           = BER_BVC("dnattr"),
@@ -763,7 +764,7 @@ dn_match_cleanup:;
                                        if ( b->a_domain_expand ) {
                                                struct berval bv;
 
-                                               bv.bv_len = sizeof(buf);
+                                               bv.bv_len = sizeof(buf) - 1;
                                                bv.bv_val = buf;
 
                                                string_expand(&bv, &b->a_domain_pat, e->e_ndn, matches);
@@ -1388,7 +1389,7 @@ aci_set_gather (void *cookie, struct berval *name, struct berval *attr)
                const char *text;
                AttributeDescription *desc = NULL;
                if (slap_bv2ad(attr, &desc, &text) == LDAP_SUCCESS) {
-                       backend_attribute(cp->be, NULL, NULL,
+                       backend_attribute(cp->be, NULL, cp->op,
                                cp->e, &ndn, desc, &bvals);
                }
                free(ndn.bv_val);
@@ -1437,7 +1438,7 @@ aci_match_set (
                        if ( dnNormalize2(NULL, &subjdn, &ndn) == LDAP_SUCCESS
                                && slap_bv2ad(&setat, &desc, &text) == LDAP_SUCCESS )
                        {
-                               backend_attribute(be, NULL, NULL, e,
+                               backend_attribute(be, NULL, op, e,
                                        &ndn, desc, &bvals);
                                if ( bvals != NULL ) {
                                        if ( bvals[0].bv_val != NULL ) {
@@ -1669,7 +1670,7 @@ aci_group_member (
        if (grp_oc != NULL && grp_ad != NULL ) {
                char buf[ACL_BUF_SIZE];
                struct berval bv, ndn;
-               bv.bv_len = sizeof( buf );
+               bv.bv_len = sizeof( buf ) - 1;
                bv.bv_val = (char *)&buf;
                string_expand(&bv, &subjdn, e->e_ndn, matches);
                if ( dnNormalize2(NULL, &bv, &ndn) == LDAP_SUCCESS ) {
@@ -1707,6 +1708,8 @@ aci_mask(
 
           See draft-ietf-ldapext-aci-model-04.txt section 9.1 for
           a full description of the format for this attribute.
+          Differences: "this" in the draft is "self" here, and
+          "self" and "public" is in the position of dnType.
 
           For now, this routine only supports scope=entry.
         */
@@ -1743,14 +1746,17 @@ aci_mask(
 
        if (ber_bvstrcasecmp( &aci_bv_access_id, &bv ) == 0) {
                struct berval ndn;
-               rc = 1;
+               rc = 0;
                if ( dnNormalize2(NULL, &sdn, &ndn) == LDAP_SUCCESS ) {
-                       if (!dn_match( &op->o_ndn, &ndn))
-                               rc = 0;
+                       if (dn_match( &op->o_ndn, &ndn))
+                               rc = 1;
                        free(ndn.bv_val);
                }
                return (rc);
 
+       } else if (ber_bvstrcasecmp( &aci_bv_public, &bv ) == 0) {
+               return(1);
+
        } else if (ber_bvstrcasecmp( &aci_bv_self, &bv ) == 0) {
                if (dn_match(&op->o_ndn, &e->e_nname))
                        return(1);
@@ -1911,7 +1917,7 @@ regex_matches(
        struct berval bv;
        int     rc;
 
-       bv.bv_len = sizeof(newbuf);
+       bv.bv_len = sizeof(newbuf) - 1;
        bv.bv_val = newbuf;
 
        if(str == NULL) str = "";