global ACLs were not used because op->o_bd is set to &backends[0] if NULL

diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index 418387146a9d6256f75fa70e696a047813bd3338..a9db8c393bf2c93d035b999bae00c87ff0155e4b 100644 (file)
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -132,6 +132,10 @@ static int aci_match_set ( struct berval *subj, Operation *op,
  * returns:
  *             0       access denied
  *             1       access granted
+ *
+ * Notes:
+ * - can be legally called with op == NULL
+ * - can be legally called with op->o_bd == NULL
  */
 
 int
@@ -147,8 +151,7 @@ access_allowed_mask(
        int                             ret = 1;
        int                             count;
        AccessControl                   *a = NULL;
-       Backend *be;
-       int     be_null = 0;
+       Backend *be,    *old_be;
 
 #ifdef LDAP_DEBUG
        char accessmaskbuf[ACCESSMASK_MAXLEN];
@@ -211,10 +214,15 @@ access_allowed_mask(
                goto done;
        }
 
-       be = op->o_bd;
+       be = old_be = op->o_bd;
        if ( be == NULL ) {
+               /*
+                * FIXME: is this needed by slapi only?  We might find 
+                * a better way to pass the appropriate information
+                * that is relevant at this stage, e.g. a fake BackendDB
+                * with global info
+                */
                be = &backends[0];
-               be_null = 1;
                op->o_bd = be;
        }
        assert( be != NULL );
@@ -228,9 +236,10 @@ access_allowed_mask(
                }
        }
 #endif /* LDAP_SLAPI */
+       op->o_bd = old_be;
 
        /* grant database root access */
-       if ( be != NULL && be_isroot( op ) ) {
+       if ( old_be && be_isroot( op ) ) {
 #ifdef NEW_LOGGING
                LDAP_LOG( ACL, INFO, 
                        "access_allowed: conn %lu root access granted\n", 
@@ -269,27 +278,27 @@ access_allowed_mask(
        }
 
        /* use backend default access if no backend acls */
-       if( be != NULL && be->be_acl == NULL ) {
+       if( old_be != NULL && old_be->be_acl == NULL ) {
 #ifdef NEW_LOGGING
                LDAP_LOG( ACL, DETAIL1, 
                        "access_allowed: backend default %s access %s to \"%s\"\n",
                    access2str( access ),
-                   be->be_dfltaccess >= access ? "granted" : "denied", 
+                   old_be->be_dfltaccess >= access ? "granted" : "denied", 
                        op->o_dn.bv_val ? op->o_dn.bv_val : "(anonymous)" );
 #else
                Debug( LDAP_DEBUG_ACL,
                        "=> access_allowed: backend default %s access %s to \"%s\"\n",
                        access2str( access ),
-                       be->be_dfltaccess >= access ? "granted" : "denied",
+                       old_be->be_dfltaccess >= access ? "granted" : "denied",
                        op->o_dn.bv_val ? op->o_dn.bv_val : "(anonymous)" );
 #endif
-               ret = be->be_dfltaccess >= access;
+               ret = old_be->be_dfltaccess >= access;
 
                if ( maskp ) {
                        int     i;
 
                        mask = ACL_PRIV_LEVEL;
-                       for ( i = ACL_NONE; i <= be->be_dfltaccess; i++ ) {
+                       for ( i = ACL_NONE; i <= old_be->be_dfltaccess; i++ ) {
                                mask |= ACL_ACCESS2PRIV( i );
                        }
                }
@@ -299,7 +308,7 @@ access_allowed_mask(
 #ifdef notdef
        /* be is always non-NULL */
        /* use global default access if no global acls */
-       } else if ( be == NULL && global_acl == NULL ) {
+       } else if ( old_be == NULL && global_acl == NULL ) {
 #ifdef NEW_LOGGING
                LDAP_LOG( ACL, DETAIL1, 
                        "access_allowed: global default %s access %s to \"%s\"\n",
@@ -445,7 +454,6 @@ done:
                }
                state->as_recorded |= ACL_STATE_RECORDED;
        }
-       if (be_null) op->o_bd = NULL;
        if ( maskp ) *maskp = mask;
        return ret;
 }