slap_schema.si_oc_dynamicObject, NULL, 0, &e );
if ( rc == LDAP_SUCCESS && e != NULL ) {
if ( !is_dynamicObject ) {
+ AclCheck ak = { e, slap_schema.si_ad_entry, NULL,
+ ACL_DISCLOSE, NULL };
/* return referral only if "disclose"
* is granted on the object */
- if ( ! access_allowed( op, e,
- slap_schema.si_ad_entry,
- NULL, ACL_DISCLOSE, NULL ) )
+ if ( ! access_allowed( op, &ak ))
{
rc = rs->sr_err = LDAP_NO_SUCH_OBJECT;
send_ldap_result( op, rs );
slap_schema.si_oc_dynamicObject, NULL, 0, &e );
if ( rc == LDAP_SUCCESS && e != NULL ) {
if ( !is_dynamicObject ) {
+ AclCheck ak = { e, slap_schema.si_ad_entry, NULL,
+ ACL_DISCLOSE, NULL };
/* return referral only if "disclose"
* is granted on the object */
- if ( ! access_allowed( op, e,
- slap_schema.si_ad_entry,
- NULL, ACL_DISCLOSE, NULL ) )
+ if ( ! access_allowed( op, &ak ))
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
send_ldap_result( op, rs );
rs->sr_err = be_entry_get_rw( op, &op->o_req_ndn,
NULL, NULL, 0, &e );
if ( rs->sr_err == LDAP_SUCCESS && e != NULL ) {
+ AclCheck ak = { e, slap_schema.si_ad_entry, NULL,
+ ACL_DISCLOSE, NULL };
/* return referral only if "disclose"
* is granted on the object */
- if ( ! access_allowed( op, e,
- slap_schema.si_ad_entry,
- NULL, ACL_DISCLOSE, NULL ) )
+ if ( ! access_allowed( op, &ak ))
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
static char dummy = '\0';
Entry *ebase;
int i;
+ AclCheck ak;
rc = overlay_entry_get_ov( op, &rs->sr_entry->e_nname, NULL, NULL, 0, &ebase, dc->dc_on );
if ( rc != LDAP_SUCCESS || ebase == NULL ) {
return SLAP_CB_CONTINUE;
}
+ ak.ak_e = rs->sr_entry;
+ ak.ak_access = ACL_READ;
+ ak.ak_state = &acl_state;
for ( ds = dc->dc_ds; ds; ds = ds->ds_next ) {
Attribute *a = attr_find( ebase->e_attrs, ds->ds_derefAttr );
DerefVal *dv;
BerVarray *bva;
- if ( !access_allowed( op, rs->sr_entry, a->a_desc,
- NULL, ACL_READ, &acl_state ) )
+ ak.ak_desc = a->a_desc;
+ ak.ak_val = NULL;
+ if ( !access_allowed( op, &ak ))
{
continue;
}
dv[ i ].dv_attrVals = bva;
bva += ds->ds_nattrs;
-
- if ( !access_allowed( op, rs->sr_entry, a->a_desc,
- &a->a_nvals[ i ], ACL_READ, &acl_state ) )
+ ak.ak_val = &a->a_nvals[i];
+ if ( !access_allowed( op, &ak ))
{
dv[ i ].dv_derefSpecVal.bv_val = &dummy;
continue;
rc = overlay_entry_get_ov( op, &a->a_nvals[ i ], NULL, NULL, 0, &e, dc->dc_on );
if ( rc == LDAP_SUCCESS && e != NULL ) {
int j;
-
- if ( access_allowed( op, e, slap_schema.si_ad_entry,
- NULL, ACL_READ, NULL ) )
+ AclCheck ak2;
+ AccessControlState acl_st2 = ACL_STATE_INIT;
+
+ ak2.ak_e = e;
+ ak2.ak_desc = slap_schema.si_ad_entry;
+ ak2.ak_val = NULL;
+ ak2.ak_state = NULL;
+ if ( access_allowed( op, &ak2 ))
{
+ ak2.ak_state = &acl_st2;
for ( j = 0; j < ds->ds_nattrs; j++ ) {
Attribute *aa;
- if ( !access_allowed( op, e, ds->ds_attributes[ j ], NULL,
- ACL_READ, &acl_state ) )
+ ak2.ak_desc = ds->ds_attributes[ j ];
+ if ( !access_allowed( op, &ak2 ))
{
continue;
}
aa->a_vals, op->o_tmpmemctx );
bv.bv_len += ds->ds_attributes[ j ]->ad_cname.bv_len;
-
+ ak2.ak_desc = aa->a_desc;
for ( k = 0, h = 0; k < aa->a_numvals; k++ ) {
- if ( !access_allowed( op, e,
- aa->a_desc,
- &aa->a_nvals[ k ],
- ACL_READ, &acl_state ) )
+ ak2.ak_val = &aa->a_nvals[ k ];
+ if ( !access_allowed( op, &ak2 ))
{
op->o_tmpfree( dv[ i ].dv_attrVals[ j ][ h ].bv_val,
op->o_tmpmemctx );
int opattrs,
userattrs;
AccessControlState acl_state = ACL_STATE_INIT;
+ AclCheck ak;
dynlist_sc_t *dlc;
dynlist_map_t *dlm;
assert( rs->sr_entry != NULL );
/* test access to entry */
- if ( !access_allowed( op, rs->sr_entry, slap_schema.si_ad_entry,
- NULL, ACL_READ, NULL ) )
+ ak.ak_e = rs->sr_entry;
+ ak.ak_desc = slap_schema.si_ad_entry;
+ ak.ak_val = NULL;
+ ak.ak_access = ACL_READ;
+ ak.ak_state = NULL;
+ if ( !access_allowed( op, &ak ))
{
goto done;
}
if ( dlm && dlm->dlm_mapped_ad == NULL && dlm->dlm_next == NULL ) {
/* if access allowed, try to add values, emulating permissive
* control to silently ignore duplicates */
- if ( access_allowed( op, rs->sr_entry, slap_schema.si_ad_entry,
- NULL, ACL_READ, NULL ) )
- {
- Modification mod;
- const char *text = NULL;
- char textbuf[1024];
- struct berval vals[ 2 ], nvals[ 2 ];
-
- vals[ 0 ] = rs->sr_entry->e_name;
- BER_BVZERO( &vals[ 1 ] );
- nvals[ 0 ] = rs->sr_entry->e_nname;
- BER_BVZERO( &nvals[ 1 ] );
-
- mod.sm_op = LDAP_MOD_ADD;
- mod.sm_desc = dlm->dlm_member_ad;
- mod.sm_type = dlm->dlm_member_ad->ad_cname;
- mod.sm_values = vals;
- mod.sm_nvalues = nvals;
- mod.sm_numvals = 1;
-
- (void)modify_add_values( e, &mod, /* permissive */ 1,
- &text, textbuf, sizeof( textbuf ) );
- }
+ Modification mod;
+ const char *text = NULL;
+ char textbuf[1024];
+ struct berval vals[ 2 ], nvals[ 2 ];
+
+ vals[ 0 ] = rs->sr_entry->e_name;
+ BER_BVZERO( &vals[ 1 ] );
+ nvals[ 0 ] = rs->sr_entry->e_nname;
+ BER_BVZERO( &nvals[ 1 ] );
+
+ mod.sm_op = LDAP_MOD_ADD;
+ mod.sm_desc = dlm->dlm_member_ad;
+ mod.sm_type = dlm->dlm_member_ad->ad_cname;
+ mod.sm_values = vals;
+ mod.sm_nvalues = nvals;
+ mod.sm_numvals = 1;
+
+ (void)modify_add_values( e, &mod, /* permissive */ 1,
+ &text, textbuf, sizeof( textbuf ) );
goto done;
}
}
}
+ ak.ak_desc = a->a_desc;
+ ak.ak_state = &acl_state;
/* test access to attribute */
if ( op->ors_attrsonly ) {
- if ( !access_allowed( op, rs->sr_entry, a->a_desc, NULL,
- ACL_READ, &acl_state ) )
+ if ( !access_allowed( op, &ak ))
{
continue;
}
}
}
- if ( access_allowed( op, rs->sr_entry, a->a_desc,
- &a->a_nvals[i], ACL_READ, &acl_state ) )
+ ak.ak_val = &a->a_nvals[i];
+ if ( access_allowed( op, &ak ))
{
vals[j] = a->a_vals[i];
if ( nvals ) {
if ( map != NULL ) {
Attribute *a = *map;
AccessControlState acl_state = ACL_STATE_INIT;
+ AclCheck ak;
+
+ ak.ak_desc = mo->mo_ad_memberof;
+ ak.ak_access = ACL_WADD;
+ ak.ak_state = &acl_state;
for ( i = 0; !BER_BVISNULL( &a->a_nvals[ i ] ); i++ ) {
Entry *e;
op->o_bd->bd_info = (BackendInfo *)on->on_info;
/* access is checked with the original identity */
- rc = access_allowed( op, op->ora_e, mo->mo_ad_memberof,
- &a->a_nvals[ i ], ACL_WADD,
- &acl_state );
- if ( rc == 0 ) {
+ ak.ak_e = op->ora_e;
+ ak.ak_val = &a->a_nvals[ i ];
+ if ( !access_allowed( op, &ak )) {
rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
rs->sr_text = NULL;
send_ldap_result( op, rs );
/* access is checked with the original identity */
op->o_bd->bd_info = (BackendInfo *)on->on_info;
- rc = access_allowed( op, e, mo->mo_ad_member,
- &op->o_req_ndn, ACL_WADD, NULL );
+ ak.ak_e = e;
+ ak.ak_val = &op->o_req_ndn;
+ rc = access_allowed( op, &ak );
be_entry_release_r( op, e );
op->o_bd->bd_info = (BackendInfo *)on;
Modifications *ml = *mmlp;
int i;
Entry *target;
+ AclCheck ak;
op->o_bd->bd_info = (BackendInfo *)on->on_info;
rc = be_entry_get_rw( op, &op->o_req_ndn,
goto done;
}
+ ak.ak_desc = mo->mo_ad_memberof;
switch ( ml->sml_op ) {
case LDAP_MOD_DELETE:
if ( ml->sml_nvalues != NULL ) {
AccessControlState acl_state = ACL_STATE_INIT;
+ ak.ak_access = ACL_WDEL;
+ ak.ak_state = &acl_state;
for ( i = 0; !BER_BVISNULL( &ml->sml_nvalues[ i ] ); i++ ) {
Entry *e;
op->o_bd->bd_info = (BackendInfo *)on->on_info;
/* access is checked with the original identity */
- rc = access_allowed( op, target,
- mo->mo_ad_memberof,
- &ml->sml_nvalues[ i ],
- ACL_WDEL,
- &acl_state );
- if ( rc == 0 ) {
+ ak.ak_e = target;
+ ak.ak_val = &ml->sml_nvalues[ i ];
+ if ( !access_allowed( op, &ak )) {
rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
rs->sr_text = NULL;
send_ldap_result( op, rs );
/* access is checked with the original identity */
op->o_bd->bd_info = (BackendInfo *)on->on_info;
- rc = access_allowed( op, e, mo->mo_ad_member,
- &op->o_req_ndn,
- ACL_WDEL, NULL );
+ ak.ak_e = e;
+ ak.ak_val = &op->o_req_ndn;
+ rc = access_allowed( op, &ak );
be_entry_release_r( op, e );
op->o_bd->bd_info = (BackendInfo *)on;
op->o_bd->bd_info = (BackendInfo *)on->on_info;
/* access is checked with the original identity */
- rc = access_allowed( op, target,
- mo->mo_ad_memberof,
- NULL,
- ACL_WDEL, NULL );
+ ak.ak_e = target;
+ ak.ak_val = NULL;
+ ak.ak_access = ACL_WDEL;
+ ak.ak_state = NULL;
+ rc = access_allowed( op, &ak );
op->o_bd->bd_info = (BackendInfo *)on;
if ( rc == 0 ) {
rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
case LDAP_MOD_ADD: {
AccessControlState acl_state = ACL_STATE_INIT;
+ AclCheck ak2;
+
+ ak.ak_e = target;
+ ak.ak_access = ACL_WADD;
+ ak.ak_state = &acl_state;
+
+ ak2.ak_desc = mo->mo_ad_member;
+ ak2.ak_val = &op->o_req_ndn;
+ ak2.ak_access = ACL_WDEL;
+ ak2.ak_state = NULL;
for ( i = 0; !BER_BVISNULL( &ml->sml_nvalues[ i ] ); i++ ) {
Entry *e;
op->o_bd->bd_info = (BackendInfo *)on->on_info;
/* access is checked with the original identity */
- rc = access_allowed( op, target,
- mo->mo_ad_memberof,
- &ml->sml_nvalues[ i ],
- ACL_WADD,
- &acl_state );
- if ( rc == 0 ) {
+ ak.ak_val = &ml->sml_nvalues[ i ];
+ if ( !access_allowed( op, &ak )) {
rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
rs->sr_text = NULL;
send_ldap_result( op, rs );
/* access is checked with the original identity */
op->o_bd->bd_info = (BackendInfo *)on->on_info;
- rc = access_allowed( op, e, mo->mo_ad_member,
- &op->o_req_ndn,
- ACL_WDEL, NULL );
+ ak2.ak_e = e;
+ rc = access_allowed( op, &ak2 );
be_entry_release_r( op, e );
op->o_bd->bd_info = (BackendInfo *)on;
{
Entry e = {0};
Attribute a = {0};
+ AclCheck ak;
e.e_name = si->si_contextdn;
e.e_nname = si->si_contextdn;
a.a_nvals = a.a_vals;
a.a_numvals = si->si_numcsns;
- rs->sr_err = access_allowed( op, &e, op->oq_compare.rs_ava->aa_desc,
- &op->oq_compare.rs_ava->aa_value, ACL_COMPARE, NULL );
+ ak.ak_e = &e;
+ ak.ak_desc = op->oq_compare.rs_ava->aa_desc;
+ ak.ak_val = &op->oq_compare.rs_ava->aa_value;
+ ak.ak_access = ACL_COMPARE;
+ ak.ak_state = NULL;
+ rs->sr_err = access_allowed( op, &ak );
if ( ! rs->sr_err ) {
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
goto return_results;