honor disclose

[openldap] / servers / slapd / back-monitor / search.c
diff --git a/servers/slapd/back-monitor/search.c b/servers/slapd/back-monitor/search.c

index 15fd74db6695f27eeb4d1c225eb627f98c14b60e..a785e662c1ff3ebb82b4a3c5483587df5b651195 100644 (file)
--- a/servers/slapd/back-monitor/search.c
+++ b/servers/slapd/back-monitor/search.c
@@ -2,7 +2,7 @@
  /* $OpenLDAP$ */
  /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
   *
- * Copyright 2001-2004 The OpenLDAP Foundation.
+ * Copyright 2001-2005 The OpenLDAP Foundation.
   * Portions Copyright 2001-2003 Pierangelo Masarati.
   * All rights reserved.
   *
@@ -56,7 +56,7 @@ monitor_send_children(
         if ( e_ch == NULL ) {
                 /* no persistent entries? return */
                 if ( e == NULL ) {
-                       return( 0 );
+                       return LDAP_SUCCESS;
                 }
         
         /* volatile entries */
@@ -87,6 +87,11 @@ monitor_send_children(
                 mp = ( monitor_entry_t * )e->e_private;
  
                 monitor_entry_update( op, e );
+
+               if ( op->o_abandon ) {
+                       monitor_cache_release( mi, e );
+                       return SLAPD_ABANDON;
+               }
                 
                 rc = test_filter( op, e, op->oq_search.rs_filter );
                 if ( rc == LDAP_COMPARE_TRUE ) {
@@ -97,9 +102,11 @@ monitor_send_children(
                 }
  
                 if ( ( mp->mp_children || MONITOR_HAS_VOLATILE_CH( mp ) )
-                               && sub ) {
+                               && sub )
+               {
                         rc = monitor_send_children( op, rs, e, sub );
                         if ( rc ) {
+                               monitor_cache_release( mi, e );
                                 return( rc );
                         }
                 }
@@ -112,7 +119,7 @@ monitor_send_children(
                 e = e_tmp;
         }
         
-       return( 0 );
+       return LDAP_SUCCESS;
  }
  
  int
@@ -120,7 +127,8 @@ monitor_back_search( Operation *op, SlapReply *rs )
  {
         monitor_info_t  *mi = ( monitor_info_t * )op->o_bd->be_private;
         int             rc = LDAP_SUCCESS;
-       Entry           *e, *matched = NULL;
+       Entry           *e = NULL, *matched = NULL;
+       slap_mask_t     mask;
  
         Debug( LDAP_DEBUG_TRACE, "=> monitor_back_search\n", 0, 0, 0 );
  
@@ -130,7 +138,17 @@ monitor_back_search( Operation *op, SlapReply *rs )
         if ( e == NULL ) {
                 rs->sr_err = LDAP_NO_SUCH_OBJECT;
                 if ( matched ) {
-                       rs->sr_matched = matched->e_dn;
+#ifdef SLAP_ACL_HONOR_DISCLOSE
+                       if ( !access_allowed_mask( op, matched,
+                                       slap_schema.si_ad_entry,
+                                       NULL, ACL_DISCLOSE, NULL, NULL ) )
+                       {
+                               /* do nothing */ ;
+                       } else 
+#endif /* SLAP_ACL_HONOR_DISCLOSE */
+                       {
+                               rs->sr_matched = matched->e_dn;
+                       }
                 }
  
                 send_ldap_result( op, rs );
@@ -139,7 +157,28 @@ monitor_back_search( Operation *op, SlapReply *rs )
                         rs->sr_matched = NULL;
                 }
  
-               return( 0 );
+               return rs->sr_err;
+       }
+
+       /* NOTE: __NEW__ "search" access is required
+        * on searchBase object */
+       if ( !access_allowed_mask( op, e, slap_schema.si_ad_entry,
+                               NULL, ACL_SEARCH, NULL, &mask ) )
+       {
+               monitor_cache_release( mi, e );
+
+#ifdef SLAP_ACL_HONOR_DISCLOSE
+               if ( !ACL_GRANT( mask, ACL_DISCLOSE ) ) {
+                       rs->sr_err = LDAP_NO_SUCH_OBJECT;
+               } else 
+#endif /* SLAP_ACL_HONOR_DISCLOSE */
+               {
+                       rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
+               }
+
+               send_ldap_result( op, rs );
+
+               return rs->sr_err;
         }
  
         rs->sr_attrs = op->oq_search.rs_attrs;
@@ -159,10 +198,6 @@ monitor_back_search( Operation *op, SlapReply *rs )
  
         case LDAP_SCOPE_ONELEVEL:
                 rc = monitor_send_children( op, rs, e, 0 );
-               if ( rc ) {
-                       rc = LDAP_OTHER;
-               }
-               
                 break;
  
         case LDAP_SCOPE_SUBTREE:
@@ -176,17 +211,15 @@ monitor_back_search( Operation *op, SlapReply *rs )
                 }
  
                 rc = monitor_send_children( op, rs, e, 1 );
-               if ( rc ) {
-                       rc = LDAP_OTHER;
-               }
-
                 break;
         }
-       
+
         rs->sr_attrs = NULL;
         rs->sr_err = rc;
-       send_ldap_result( op, rs );
+       if ( rs->sr_err != SLAPD_ABANDON ) {
+               send_ldap_result( op, rs );
+       }
  
-       return( rc == LDAP_SUCCESS ? 0 : 1 );
+       return rs->sr_err;
  }