condition compilation of DISCLOSE checking (there's more to do)

diff --git a/servers/slapd/back-sql/compare.c b/servers/slapd/back-sql/compare.c
index 0f581374669f152d5084d3992e83e8389b9b0029..ac23f9e6c17705025dddfe6755699eb23d2fd203 100644 (file)
--- a/servers/slapd/back-sql/compare.c
+++ b/servers/slapd/back-sql/compare.c
@@ -67,7 +67,9 @@ backsql_compare( Operation *op, SlapReply *rs )
                anlistp = anlist;
        }
 
-
+       /*
+        * FIXME: deal with matchedDN/referral?
+        */
        rc = backsql_init_search( &bsi, &op->o_req_ndn,
                        LDAP_SCOPE_BASE, 
                        SLAP_NO_LIMIT, SLAP_NO_LIMIT,
@@ -79,19 +81,6 @@ backsql_compare( Operation *op, SlapReply *rs )
                        0, 0, 0 );
                rs->sr_err = LDAP_NO_SUCH_OBJECT;
                goto return_results;
-
-       } else {
-               Entry   e = { 0 };
-
-               e.e_name = bsi.bsi_base_id.eid_dn;
-               e.e_nname = bsi.bsi_base_id.eid_ndn;
-
-               /* FIXME: need the whole entry (ITS#3480) */
-               if ( ! access_allowed( op, &e, slap_schema.si_ad_entry, NULL,
-                                       ACL_DISCLOSE, NULL ) ) {
-                       rs->sr_err = LDAP_NO_SUCH_OBJECT;
-                       goto return_results;
-               }
        }
 
        if ( is_at_operational( op->oq_compare.rs_ava->aa_desc->ad_type ) ) {
@@ -126,11 +115,18 @@ backsql_compare( Operation *op, SlapReply *rs )
        }
        e = &user_entry;
 
-       /* FIXME: need the whole entry (ITS#3480) */
        if ( ! access_allowed( op, e, op->oq_compare.rs_ava->aa_desc, 
                                &op->oq_compare.rs_ava->aa_value,
                                ACL_COMPARE, NULL ) ) {
-               rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
+#ifdef SLAP_ACL_HONOR_DISCLOSE
+               if ( ! access_allowed( op, &e, slap_schema.si_ad_entry, NULL,
+                                       ACL_DISCLOSE, NULL ) ) {
+                       rs->sr_err = LDAP_NO_SUCH_OBJECT;
+               } else
+#endif /* SLAP_ACL_HONOR_DISCLOSE */
+               {
+                       rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
+               }
                goto return_results;
        }
 

diff --git a/servers/slapd/back-sql/search.c b/servers/slapd/back-sql/search.c
index d74d896c9eb1c208dd78663a1b7c62d8ff00a6b0..0f8ac3fa1930f9e7dfd405d3ac872d62f4d6e7f4 100644 (file)
--- a/servers/slapd/back-sql/search.c
+++ b/servers/slapd/back-sql/search.c
@@ -277,9 +277,15 @@ backsql_init_search(
 
        bsi->bsi_status = rc;
 
-       if ( rc != LDAP_SUCCESS ) {
+       switch ( rc ) {
+       case LDAP_SUCCESS:
+       case LDAP_REFERRAL:
+               break;
+
+       default:
                bsi->bsi_op->o_tmpfree( bsi->bsi_attrs,
                                bsi->bsi_op->o_tmpmemctx );
+               break;
        }
 
        return rc;