More "entry" level ACLs for entry add, delete, and rename.

[openldap] / servers / slapd / back-ldbm / modrdn.c

diff --git a/servers/slapd/back-ldbm/modrdn.c b/servers/slapd/back-ldbm/modrdn.c
index 5ba4e9afb6d4cf440d1e47fe9e4b3815414101fd..f71cfc615005f81699a973a06b05a26931b60069 100644 (file)
--- a/servers/slapd/back-ldbm/modrdn.c
+++ b/servers/slapd/back-ldbm/modrdn.c
@@ -47,6 +47,7 @@ ldbm_back_modrdn(
 )
 {
        AttributeDescription *children = slap_schema.si_ad_children;
+       AttributeDescription *entry = slap_schema.si_ad_entry;
        struct ldbminfo *li = (struct ldbminfo *) be->be_private;
        struct berval   p_dn, p_ndn;
        struct berval   new_dn = { 0, NULL}, new_ndn = { 0, NULL };
@@ -115,6 +116,26 @@ ldbm_back_modrdn(
                return( -1 );
        }
 
+       /* check entry for "entry" acl */
+       if ( ! access_allowed( be, conn, op, e,
+               entry, NULL, ACL_WRITE, NULL ) )
+       {
+#ifdef NEW_LOGGING
+               LDAP_LOG( BACK_LDBM, ERR, 
+                       "ldbm_back_modrdn: no write access to entry of (%s)\n", 
+                       dn->bv_val, 0, 0 );
+#else
+               Debug( LDAP_DEBUG_TRACE,
+                       "<=- ldbm_back_modrdn: no write access to entry\n", 0,
+                       0, 0 );
+#endif
+
+               send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
+                       NULL, "no write access to entry", NULL, NULL );
+
+               goto return_results;
+       }
+
        if (!manageDSAit && is_entry_referral( e ) ) {
                /* parent is a referral, don't allow add */
                /* parent is an alias, don't allow add */