]> git.sur5r.net Git - openldap/commitdiff
ITS#6804 fix ACL_RECORD_VALUE_STATE macro, was skipping past the ACL
authorHoward Chu <hyc@openldap.org>
Thu, 27 Jan 2011 00:50:26 +0000 (00:50 +0000)
committerHoward Chu <hyc@openldap.org>
Thu, 27 Jan 2011 00:50:26 +0000 (00:50 +0000)
instead of resuming from the intended one

servers/slapd/acl.c

index 1617b5382df2ff8e14c20077b515add62a720330..ef85ad2614e8ab6617bf1f04bdcdf6a1dc4b502b 100644 (file)
@@ -57,7 +57,9 @@ static AccessControl * slap_acl_get(
        AccessControlState *state );
 
 static slap_control_t slap_acl_mask(
-       AccessControl *ac, slap_mask_t *mask,
+       AccessControl *ac,
+       AccessControl *prev,
+       slap_mask_t *mask,
        Operation *op, Entry *e,
        AttributeDescription *desc,
        struct berval *val,
@@ -141,7 +143,7 @@ slap_access_allowed(
 {
        int                             ret = 1;
        int                             count;
-       AccessControl                   *a = NULL;
+       AccessControl                   *a, *prev;
 
 #ifdef LDAP_DEBUG
        char                            accessmaskbuf[ACCESSMASK_MAXLEN];
@@ -236,6 +238,7 @@ slap_access_allowed(
        }
 
        MATCHES_MEMSET( &matches );
+       prev = a;
 
        while ( ( a = slap_acl_get( a, &count, op, e, desc, val,
                &matches, &mask, state ) ) != NULL )
@@ -282,7 +285,7 @@ slap_access_allowed(
                        Debug( LDAP_DEBUG_ACL, "\n", 0, 0, 0 );
                }
 
-               control = slap_acl_mask( a, &mask, op,
+               control = slap_acl_mask( a, prev, &mask, op,
                        e, desc, val, &matches, count, state, access );
 
                if ( control != ACL_BREAK ) {
@@ -290,6 +293,7 @@ slap_access_allowed(
                }
 
                MATCHES_MEMSET( &matches );
+               prev = a;
        }
 
        if ( ACL_IS_INVALID( mask ) ) {
@@ -717,8 +721,8 @@ slap_acl_get(
 #define ACL_RECORD_VALUE_STATE do { \
                if( state && !state->as_vd_acl_present ) { \
                        state->as_vd_acl_present = 1; \
-                       state->as_vd_acl = a; \
-                       state->as_vd_acl_count = count; \
+                       state->as_vd_acl = prev; \
+                       state->as_vd_acl_count = count - 1; \
                        ACL_PRIV_ASSIGN( state->as_vd_mask, *mask ); \
                } \
        } while( 0 )
@@ -1072,8 +1076,6 @@ acl_mask_dnattr(
                if ( ! bdn->a_self )
                        return 1;
 
-               ACL_RECORD_VALUE_STATE;
-
                /* this is a self clause, check if the target is an
                 * attribute.
                 */
@@ -1108,6 +1110,7 @@ acl_mask_dnattr(
 static slap_control_t
 slap_acl_mask(
        AccessControl           *a,
+       AccessControl           *prev,
        slap_mask_t             *mask,
        Operation               *op,
        Entry                   *e,
@@ -1155,6 +1158,36 @@ slap_acl_mask(
 
                ACL_INVALIDATE( modmask );
 
+               /* check for the "self" modifier in the <access> field */
+               if ( b->a_dn.a_self ) {
+                       const char *dummy;
+                       int rc, match = 0;
+
+                       ACL_RECORD_VALUE_STATE;
+
+                       /* must have DN syntax */
+                       if ( desc->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName &&
+                               !is_at_syntax( desc->ad_type, SLAPD_NAMEUID_SYNTAX )) continue;
+
+                       /* check if the target is an attribute. */
+                       if ( val == NULL ) continue;
+
+                       /* a DN must be present */
+                       if ( BER_BVISEMPTY( &op->o_ndn ) ) {
+                               continue;
+                       }
+
+                       /* target is attribute, check if the attribute value
+                        * is the op dn.
+                        */
+                       rc = value_match( &match, desc,
+                               desc->ad_type->sat_equality, 0,
+                               val, &op->o_ndn, &dummy );
+                       /* on match error or no match, fail the ACL clause */
+                       if ( rc != LDAP_SUCCESS || match != 0 )
+                               continue;
+               }
+
                /* AND <who> clauses */
                if ( !BER_BVISEMPTY( &b->a_dn_pat ) ) {
                        Debug( LDAP_DEBUG_ACL, "<= check a_dn_pat: %s\n",
@@ -1726,36 +1759,6 @@ slap_acl_mask(
                        }
                }
 
-               /* check for the "self" modifier in the <access> field */
-               if ( b->a_dn.a_self ) {
-                       const char *dummy;
-                       int rc, match = 0;
-
-                       ACL_RECORD_VALUE_STATE;
-
-                       /* must have DN syntax */
-                       if ( desc->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName &&
-                               !is_at_syntax( desc->ad_type, SLAPD_NAMEUID_SYNTAX )) continue;
-
-                       /* check if the target is an attribute. */
-                       if ( val == NULL ) continue;
-
-                       /* a DN must be present */
-                       if ( BER_BVISEMPTY( &op->o_ndn ) ) {
-                               continue;
-                       }
-
-                       /* target is attribute, check if the attribute value
-                        * is the op dn.
-                        */
-                       rc = value_match( &match, desc,
-                               desc->ad_type->sat_equality, 0,
-                               val, &op->o_ndn, &dummy );
-                       /* on match error or no match, fail the ACL clause */
-                       if ( rc != LDAP_SUCCESS || match != 0 )
-                               continue;
-               }
-
 #ifdef SLAP_DYNACL
                if ( b->a_dynacl ) {
                        slap_dynacl_t   *da;