allow backend_attribute to check access to "entry" and "children" pseudo-attributes

author Pierangelo Masarati <ando@openldap.org>

Fri, 6 Jan 2006 16:24:07 +0000 (16:24 +0000)

committer Pierangelo Masarati <ando@openldap.org>

Fri, 6 Jan 2006 16:24:07 +0000 (16:24 +0000)
author Pierangelo Masarati <ando@openldap.org>
Fri, 6 Jan 2006 16:24:07 +0000 (16:24 +0000)
committer Pierangelo Masarati <ando@openldap.org>
Fri, 6 Jan 2006 16:24:07 +0000 (16:24 +0000)
diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c

index 85fb4bebc7383b526ec1acc561b6a58ab94f6988..3256dd05f09e106feb7d0f70fb1bfcec29881ddb 100644 (file)
--- a/servers/slapd/backend.c
+++ b/servers/slapd/backend.c
@@ -1457,6 +1457,19 @@ fe_acl_attribute(
         } 
  
         if ( e ) {
+               if ( entry_at == slap_schema.si_ad_entry || entry_at == slap_schema.si_ad_children ) {
+                       assert( vals == NULL );
+
+                       rc = LDAP_SUCCESS;
+                       if ( op->o_conn && access > ACL_NONE &&
+                               access_allowed( op, e, entry_at, NULL,
+                                               access, &acl_state ) == 0 )
+                       {
+                               rc = LDAP_INSUFFICIENT_ACCESS;
+                       }
+                       goto freeit;
+               }
+
                 a = attr_find( e->e_attrs, entry_at );
                 if ( a == NULL ) {
                         SlapReply       rs = { 0 };
author	Pierangelo Masarati <ando@openldap.org>
	Fri, 6 Jan 2006 16:24:07 +0000 (16:24 +0000)
committer	Pierangelo Masarati <ando@openldap.org>
	Fri, 6 Jan 2006 16:24:07 +0000 (16:24 +0000)