* no-user-modification operational attributes are ignored
* by ACL_WRITE checking as any found here are not provided
* by the user
+ *
+ * NOTE: but they are not ignored for ACL_MANAGE, because
+ * if we get here it means a non-root user is trying to
+ * manage data, so we need to check its privileges.
*/
- if ( access_level >= ACL_WRITE && is_at_no_user_mod( desc->ad_type )
+ if ( access_level == ACL_WRITE && is_at_no_user_mod( desc->ad_type )
&& desc != slap_schema.si_ad_entry
&& desc != slap_schema.si_ad_children )
{
assert( attr != NULL );
- if ( op && op->o_is_auth_check &&
- ( access_level == ACL_SEARCH || access_level == ACL_READ ) )
- {
- access = ACL_AUTH;
+ if ( op ) {
+ if ( op->o_is_auth_check &&
+ ( access_level == ACL_SEARCH || access_level == ACL_READ ) )
+ {
+ access = ACL_AUTH;
+
+ } else if ( get_manageDIT( op ) && access_level == ACL_WRITE &&
+ desc == slap_schema.si_ad_entry )
+ {
+ access = ACL_MANAGE;
+ }
}
if ( state ) {
assert( attr != NULL );
- if ( op && op->o_is_auth_check &&
- ( access_level == ACL_SEARCH || access_level == ACL_READ ) )
- {
- access = ACL_AUTH;
+ if ( op ) {
+ if ( op->o_is_auth_check &&
+ ( access_level == ACL_SEARCH || access_level == ACL_READ ) )
+ {
+ access = ACL_AUTH;
+
+ } else if ( get_manageDIT( op ) && access_level == ACL_WRITE &&
+ desc == slap_schema.si_ad_entry )
+ {
+ access = ACL_MANAGE;
+ }
}
if ( state ) {
* no-user-modification operational attributes are ignored
* by ACL_WRITE checking as any found here are not provided
* by the user
+ *
+ * NOTE: but they are not ignored for ACL_MANAGE, because
+ * if we get here it means a non-root user is trying to
+ * manage data, so we need to check its privileges.
*/
- if ( access_level >= ACL_WRITE && is_at_no_user_mod( desc->ad_type )
+ if ( access_level == ACL_WRITE && is_at_no_user_mod( desc->ad_type )
&& desc != slap_schema.si_ad_entry
&& desc != slap_schema.si_ad_children )
{
acl_check_modlist(
Operation *op,
Entry *e,
- Modifications *mlist
-)
+ Modifications *mlist )
{
struct berval *bv;
AccessControlState state = ACL_STATE_INIT;
* This prevents abuse from selfwriters.
*/
if ( ! access_allowed( op, e,
- mlist->sml_desc, NULL, ACL_WDEL, &state ) )
+ mlist->sml_desc, NULL,
+ mlist->sml_managing ? ACL_MANAGE : ACL_WDEL,
+ &state ) )
{
ret = 0;
goto done;
bv->bv_val != NULL; bv++ )
{
if ( ! access_allowed( op, e,
- mlist->sml_desc, bv, ACL_WADD, &state ) )
+ mlist->sml_desc, bv,
+ mlist->sml_managing ? ACL_MANAGE : ACL_WADD,
+ &state ) )
{
ret = 0;
goto done;
case LDAP_MOD_DELETE:
if ( mlist->sml_values == NULL ) {
if ( ! access_allowed( op, e,
- mlist->sml_desc, NULL, ACL_WDEL, NULL ) )
+ mlist->sml_desc, NULL,
+ mlist->sml_managing ? ACL_MANAGE : ACL_WDEL,
+ NULL ) )
{
ret = 0;
goto done;
bv->bv_val != NULL; bv++ )
{
if ( ! access_allowed( op, e,
- mlist->sml_desc, bv, ACL_WDEL, &state ) )
+ mlist->sml_desc, bv,
+ mlist->sml_managing ? ACL_MANAGE : ACL_WDEL,
+ &state ) )
{
ret = 0;
goto done;
mod->sml_values = tmp.sml_values;
mod->sml_nvalues = NULL;
mod->sml_desc = NULL;
+ mod->sml_managing = 0;
mod->sml_next = NULL;
*modtail = mod;
goto cleanup;
}
- if( mod->sml_values[1].bv_val ) {
+ if ( !BER_BVISNULL( &mod->sml_values[ 1 ] ) ) {
Debug( LDAP_DEBUG_ANY, "do_modify: modify/increment "
"operation (%ld) requires single value\n",
(long) mop, 0, 0 );
if ( tmp->sml_values == NULL ) {
Debug( LDAP_DEBUG_ARGS, "%s\n",
"\t\tno values", NULL, NULL );
- } else if ( tmp->sml_values[0].bv_val == NULL ) {
+ } else if ( BER_BVISNULL( &tmp->sml_values[ 0 ] ) ) {
Debug( LDAP_DEBUG_ARGS, "%s\n",
"\t\tzero values", NULL, NULL );
- } else if ( tmp->sml_values[1].bv_val == NULL ) {
+ } else if ( BER_BVISNULL( &tmp->sml_values[ 1 ] ) ) {
Debug( LDAP_DEBUG_ARGS, "%s, length %ld\n",
"\t\tone value", (long) tmp->sml_values[0].bv_len, NULL );
} else {
if( rc != LDAP_SUCCESS ) return rc;
mod = (Modifications *) ch_malloc( sizeof( Modifications ) );
+ mod->sml_managing = 0;
mod->sml_op = mop;
mod->sml_flags = SLAP_MOD_INTERNAL;
- mod->sml_type.bv_val = NULL;
+ BER_BVZERO( &mod->sml_type );
mod->sml_desc = slap_schema.si_ad_structuralObjectClass;
mod->sml_values =
(BerVarray) ch_malloc( 2 * sizeof( struct berval ) );
ber_dupbv( &mod->sml_values[0], &tmpval );
- mod->sml_values[1].bv_len = 0;
- mod->sml_values[1].bv_val = NULL;
- assert( mod->sml_values[0].bv_val != NULL );
+ BER_BVZERO( &mod->sml_values[1] );
+ assert( !BER_BVISNULL( &mod->sml_values[0] ) );
mod->sml_nvalues =
(BerVarray) ch_malloc( 2 * sizeof( struct berval ) );
ber_dupbv( &mod->sml_nvalues[0], &tmpval );
- mod->sml_nvalues[1].bv_len = 0;
- mod->sml_nvalues[1].bv_val = NULL;
- assert( mod->sml_nvalues[0].bv_val != NULL );
+ BER_BVZERO( &mod->sml_nvalues[1] );
+ assert( !BER_BVISNULL( &mod->sml_nvalues[0] ) );
*modtail = mod;
modtail = &mod->sml_next;
}
tmpval.bv_val = uuidbuf;
mod = (Modifications *) ch_malloc( sizeof( Modifications ) );
+ mod->sml_managing = 0;
mod->sml_op = mop;
mod->sml_flags = SLAP_MOD_INTERNAL;
- mod->sml_type.bv_val = NULL;
+ BER_BVZERO( &mod->sml_type );
mod->sml_desc = slap_schema.si_ad_entryUUID;
mod->sml_values =
(BerVarray) ch_malloc( 2 * sizeof( struct berval ) );
ber_dupbv( &mod->sml_values[0], &tmpval );
- mod->sml_values[1].bv_len = 0;
- mod->sml_values[1].bv_val = NULL;
- assert( mod->sml_values[0].bv_val != NULL );
+ BER_BVZERO( &mod->sml_values[1] );
+ assert( !BER_BVISNULL( &mod->sml_values[0] ) );
mod->sml_nvalues =
(BerVarray) ch_malloc( 2 * sizeof( struct berval ) );
(*mod->sml_desc->ad_type->sat_equality->smr_normalize)(
mod->sml_desc->ad_type->sat_syntax,
mod->sml_desc->ad_type->sat_equality,
mod->sml_values, mod->sml_nvalues, NULL );
- mod->sml_nvalues[1].bv_len = 0;
- mod->sml_nvalues[1].bv_val = NULL;
+ BER_BVZERO( &mod->sml_nvalues[1] );
*modtail = mod;
modtail = &mod->sml_next;
}
if ( mod == *modtail ) {
mod = (Modifications *) ch_malloc( sizeof( Modifications ) );
+ mod->sml_managing = 0;
mod->sml_op = mop;
mod->sml_flags = SLAP_MOD_INTERNAL;
- mod->sml_type.bv_val = NULL;
+ BER_BVZERO( &mod->sml_type );
mod->sml_desc = slap_schema.si_ad_creatorsName;
mod->sml_values =
(BerVarray) ch_malloc( 2 * sizeof( struct berval ) );
ber_dupbv( &mod->sml_values[0], &name );
- mod->sml_values[1].bv_len = 0;
- mod->sml_values[1].bv_val = NULL;
- assert( mod->sml_values[0].bv_val != NULL );
+ BER_BVZERO( &mod->sml_values[1] );
+ assert( !BER_BVISNULL( &mod->sml_values[0] ) );
mod->sml_nvalues =
(BerVarray) ch_malloc( 2 * sizeof( struct berval ) );
ber_dupbv( &mod->sml_nvalues[0], &nname );
- mod->sml_nvalues[1].bv_len = 0;
- mod->sml_nvalues[1].bv_val = NULL;
- assert( mod->sml_nvalues[0].bv_val != NULL );
+ BER_BVZERO( &mod->sml_nvalues[1] );
+ assert( !BER_BVISNULL( &mod->sml_nvalues[0] ) );
*modtail = mod;
modtail = &mod->sml_next;
}
if ( mod == *modtail ) {
mod = (Modifications *) ch_malloc( sizeof( Modifications ) );
+ mod->sml_managing = 0;
mod->sml_op = mop;
mod->sml_flags = SLAP_MOD_INTERNAL;
- mod->sml_type.bv_val = NULL;
+ BER_BVZERO( &mod->sml_type );
mod->sml_desc = slap_schema.si_ad_createTimestamp;
mod->sml_values =
(BerVarray) ch_malloc( 2 * sizeof( struct berval ) );
ber_dupbv( &mod->sml_values[0], ×tamp );
- mod->sml_values[1].bv_len = 0;
- mod->sml_values[1].bv_val = NULL;
- assert( mod->sml_values[0].bv_val != NULL );
+ BER_BVZERO( &mod->sml_values[1] );
+ assert( !BER_BVISNULL( &mod->sml_values[0] ) );
mod->sml_nvalues = NULL;
*modtail = mod;
modtail = &mod->sml_next;
if ( SLAP_LASTMOD( op->o_bd ) ) {
mod = (Modifications *) ch_malloc( sizeof( Modifications ) );
+ mod->sml_managing = 0;
mod->sml_op = mop;
mod->sml_flags = SLAP_MOD_INTERNAL;
- mod->sml_type.bv_val = NULL;
+ BER_BVZERO( &mod->sml_type );
mod->sml_desc = slap_schema.si_ad_entryCSN;
mod->sml_values = (BerVarray) ch_malloc( 2 * sizeof( struct berval ) );
ber_dupbv( &mod->sml_values[0], &csn );
- mod->sml_values[1].bv_len = 0;
- mod->sml_values[1].bv_val = NULL;
- assert( mod->sml_values[0].bv_val != NULL );
+ BER_BVZERO( &mod->sml_values[1] );
+ assert( !BER_BVISNULL( &mod->sml_values[0] ) );
mod->sml_nvalues = NULL;
*modtail = mod;
modtail = &mod->sml_next;
if ( mod == *modtail ) {
mod = (Modifications *) ch_malloc( sizeof( Modifications ) );
+ mod->sml_managing = 0;
mod->sml_op = mop;
mod->sml_flags = SLAP_MOD_INTERNAL;
- mod->sml_type.bv_val = NULL;
+ BER_BVZERO( &mod->sml_type );
mod->sml_desc = slap_schema.si_ad_modifiersName;
mod->sml_values = (BerVarray) ch_malloc( 2 * sizeof( struct berval ) );
ber_dupbv( &mod->sml_values[0], &name );
- mod->sml_values[1].bv_len = 0;
- mod->sml_values[1].bv_val = NULL;
- assert( mod->sml_values[0].bv_val != NULL );
+ BER_BVZERO( &mod->sml_values[1] );
+ assert( !BER_BVISNULL( &mod->sml_values[0] ) );
mod->sml_nvalues =
(BerVarray) ch_malloc( 2 * sizeof( struct berval ) );
ber_dupbv( &mod->sml_nvalues[0], &nname );
- mod->sml_nvalues[1].bv_len = 0;
- mod->sml_nvalues[1].bv_val = NULL;
- assert( mod->sml_nvalues[0].bv_val != NULL );
+ BER_BVZERO( &mod->sml_nvalues[1] );
+ assert( !BER_BVISNULL( &mod->sml_nvalues[0] ) );
*modtail = mod;
modtail = &mod->sml_next;
}
if ( mod == *modtail ) {
mod = (Modifications *) ch_malloc( sizeof( Modifications ) );
+ mod->sml_managing = 0;
mod->sml_op = mop;
mod->sml_flags = SLAP_MOD_INTERNAL;
- mod->sml_type.bv_val = NULL;
+ BER_BVZERO( &mod->sml_type );
mod->sml_desc = slap_schema.si_ad_modifyTimestamp;
mod->sml_values = (BerVarray) ch_malloc( 2 * sizeof( struct berval ) );
ber_dupbv( &mod->sml_values[0], ×tamp );
- mod->sml_values[1].bv_len = 0;
- mod->sml_values[1].bv_val = NULL;
- assert( mod->sml_values[0].bv_val != NULL );
+ BER_BVZERO( &mod->sml_values[1] );
+ assert( !BER_BVISNULL( &mod->sml_values[0] ) );
mod->sml_nvalues = NULL;
*modtail = mod;
modtail = &mod->sml_next;
projects / openldap / commitdiff