honor 'disclose' ACL on searchBase/compare/referral/matched (ITS#3472 and comments...

diff --git a/servers/slapd/back-sql/compare.c b/servers/slapd/back-sql/compare.c
index 08f4c7f356a57b11ed4e50f957659879b5077f68..d7890156c9aba64c1f63e1515d5ffa0a90c54a63 100644 (file)
--- a/servers/slapd/back-sql/compare.c
+++ b/servers/slapd/back-sql/compare.c
@@ -109,6 +109,12 @@ backsql_compare( Operation *op, SlapReply *rs )
        }
        e = &user_entry;
 
+       if ( ! access_allowed( op, e, slap_schema.si_ad_entry, NULL,
+                               ACL_DISCLOSE, NULL ) ) {
+               rs->sr_err = LDAP_NO_SUCH_OBJECT;
+               goto return_results;
+       }
+
        if ( ! access_allowed( op, e, op->oq_compare.rs_ava->aa_desc, 
                                &op->oq_compare.rs_ava->aa_value,
                                ACL_COMPARE, NULL ) ) {

diff --git a/servers/slapd/back-sql/search.c b/servers/slapd/back-sql/search.c
index cb4089b1925d76c6c382aa3d2fd2fa794b83bc9f..ace1fc6d249b7ade6e0662586e9fd0e076a2cef7 100644 (file)
--- a/servers/slapd/back-sql/search.c
+++ b/servers/slapd/back-sql/search.c
@@ -1718,6 +1718,13 @@ backsql_search( Operation *op, SlapReply *rs )
                goto done;
        }
 
+       if ( ! access_allowed( op, bsi.bsi_e, slap_schema.si_ad_entry, NULL,
+                               ACL_DISCLOSE, NULL ) ) {
+               rs->sr_err = LDAP_NO_SUCH_OBJECT;
+               send_ldap_result( op, rs );
+               goto done;
+       }
+
        bsi.bsi_n_candidates =
                ( op->ors_limit == NULL /* isroot == TRUE */ ? -2 : 
                ( op->ors_limit->lms_s_unchecked == -1 ? -2 :