Make sur attribute ACL are evaluated on ADD operations (see ITS#4556)

diff --git a/servers/slapd/back-bdb/add.c b/servers/slapd/back-bdb/add.c
index d6fba1bdd2e22c5ab52eff976dfec4cf3e5fbfa5..b9f7fedc7893f64c3a800328a9d1cb275ba30eaa 100644 (file)
--- a/servers/slapd/back-bdb/add.c
+++ b/servers/slapd/back-bdb/add.c
@@ -299,6 +299,24 @@ retry:     /* transaction retry */
                goto return_results;;
        }
 
+       /* 
+        * Check ACL for attribute write access
+        */
+       if (!acl_check_modlist(op, oe, op->ora_modlist)) {
+               switch( opinfo.boi_err ) {
+               case DB_LOCK_DEADLOCK:
+               case DB_LOCK_NOTGRANTED:
+                       goto retry;
+               }
+
+               Debug( LDAP_DEBUG_TRACE,
+                       LDAP_XSTRING(bdb_add) ": no write access to attribute\n",
+                       0, 0, 0 );
+               rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
+               rs->sr_text = "no write access to attribute";
+               goto return_results;;
+       }
+
        if ( eid == NOID ) {
                rs->sr_err = bdb_next_id( op->o_bd, &eid );
                if( rs->sr_err != 0 ) {

diff --git a/servers/slapd/back-ndb/add.cpp b/servers/slapd/back-ndb/add.cpp
index 8a5ca68fec294a4376cc0a3cde6767e22c8c6fa2..cd7bffe12992ccdb196228755c358a951f02bc66 100644 (file)
--- a/servers/slapd/back-ndb/add.cpp
+++ b/servers/slapd/back-ndb/add.cpp
@@ -223,6 +223,19 @@ is_ref:                    p.e_attrs = NULL;
                goto return_results;;
        }
 
+       /* 
+        * Check ACL for attribute write access
+        */
+       if (!acl_check_modlist(op, op->ora_e, op->ora_modlist)) {
+               Debug( LDAP_DEBUG_TRACE,
+                       LDAP_XSTRING(bdb_add) ": no write access to attribute\n",
+                       0, 0, 0 );
+               rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
+               rs->sr_text = "no write access to attribute";
+               goto return_results;;
+       }
+
+
        /* acquire entry ID */
        if ( op->ora_e->e_id == NOID ) {
                rs->sr_err = ndb_next_id( op->o_bd, NA.ndb, &op->ora_e->e_id );

diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index d8cae7fb3b205d4b61f4f28160099a36c5d7662d..6aacf27fcb59de79656e5e3a45456d7b946137f3 100644 (file)
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -4633,6 +4633,15 @@ config_back_add( Operation *op, SlapReply *rs )
                goto out;
        }
 
+       /*
+        * Check for attribute ACL
+        */
+       if ( !acl_check_modlist( op, op->ora_e, op->orm_modlist )) {
+               rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
+               rs->sr_text = "no write access to attribute";
+               goto out;
+       }
+
        cfb = (CfBackInfo *)op->o_bd->be_private;
 
        /* add opattrs for syncprov */