test for ITS#4587; another bit of fix for that

diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index 0f623417888ad5f4f01be89a2ff1f37e5f2884c7..c960cc90198fd5219bc884369a799644c84b7687 100644 (file)
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -700,6 +700,11 @@ acl_mask_dn(
                /* check if the target is an attribute. */
                if ( val == NULL ) return 1;
 
+               /* a DN must be present */
+               if ( BER_BVISEMPTY( opndn ) ) {
+                       return 1;
+               }
+
                /* target is attribute, check if the attribute value
                 * is the op dn.
                 */

diff --git a/tests/data/acl.out.master b/tests/data/acl.out.master
index 1d4423e1d4ff47cb1238464bc86627730ee782f5..74c7c937c8889e4e80c907d56c3c753750ae8933 100644 (file)
--- a/tests/data/acl.out.master
+++ b/tests/data/acl.out.master
@@ -68,7 +68,6 @@ member: cn=Jane Doe,ou=Alumni Association,ou=People,dc=example,dc=com
 member: cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc
  =com
 member: cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com
-member: cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com
 member: cn=James A Jones 2,ou=Information Technology Division,ou=People,dc=exa
  mple,dc=com
 member: cn=Jennifer Smith,ou=Alumni Association,ou=People,dc=example,dc=com

diff --git a/tests/data/slapd-acl.conf b/tests/data/slapd-acl.conf
index 531a1b730e2d61dde49a5661fc5e80ce8d884ebf..a168e5cd5ec647ff12ce4eab64fcd44e5c6ebbd4 100644 (file)
--- a/tests/data/slapd-acl.conf
+++ b/tests/data/slapd-acl.conf
@@ -110,6 +110,7 @@ access              to dn.children="ou=Alumni Association,ou=People,dc=example,dc=com"
 
 #access                to attrs=member,uniquemember dn.subtree="dc=example,dc=com"
 access         to attrs=member,uniquemember
+               by dn.exact="cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com" selfwrite
                by dnattr=member selfwrite
                by dnattr=uniquemember selfwrite
                by * read

diff --git a/tests/scripts/test006-acls b/tests/scripts/test006-acls
index 6f131be1246c5edef5314f8ba8e07ca236de602c..9add9f277e650cb8072e233558fb8e31dc25095c 100755 (executable)
--- a/tests/scripts/test006-acls
+++ b/tests/scripts/test006-acls
@@ -103,6 +103,47 @@ $LDAPSEARCH -h $LOCALHOST -p $PORT1 \
        -D "$BJORNSDN" -w bjorn \
        -b "$BABSDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1
 
+# check selfwrite access (ITS#4587).  Two attempts are made:
+# 1) delete someone else (should fail)
+# 2) delete self (should succeed)
+#
+$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
+       $TESTOUT 2>&1 << EOMODS
+dn: cn=All Staff,ou=Groups,dc=example,dc=com
+changetype: modify
+delete: member
+member: $BABSDN
+EOMODS
+RC=$?
+case $RC in
+50)
+       ;;
+0)
+       echo "ldapmodify should have failed ($RC)!"
+       test $KILLSERVERS != no && kill -HUP $KILLPIDS
+       exit -1
+       ;;
+*)
+       echo "ldapmodify failed ($RC)!"
+       test $KILLSERVERS != no && kill -HUP $KILLPIDS
+       exit $RC
+       ;;
+esac
+
+$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
+       $TESTOUT 2>&1 << EOMODS
+dn: cn=All Staff,ou=Groups,dc=example,dc=com
+changetype: modify
+delete: member
+member: $JAJDN
+EOMODS
+RC=$?
+if test $RC != 0 ; then
+       echo "ldapmodify failed ($RC)!"
+       test $KILLSERVERS != no && kill -HUP $KILLPIDS
+       exit $RC
+fi
+
 #
 # Check group access. Try to modify Babs' entry. Two attempts:
 # 1) bound as "James A Jones 1" - should fail