Use everywhere.
Apply search ACLs to operational attributes.
Only provide operational attributes when explicitly requested.
e->e_dn, attr, 0 );
/* the lastmod attributes are ignored by ACL checking */
- if ( strcasecmp( attr, "modifiersname" ) == 0 ||
- strcasecmp( attr, "modifytimestamp" ) == 0 ||
- strcasecmp( attr, "creatorsname" ) == 0 ||
- strcasecmp( attr, "createtimestamp" ) == 0 )
- {
- Debug( LDAP_DEBUG_ACL, "LASTMOD attribute: %s access allowed\n",
+ if ( oc_check_operational( attr ) ) {
+ Debug( LDAP_DEBUG_ACL, "Operational attribute: %s access allowed\n",
attr, 0, 0 );
return(1);
}
regmatch_t matches[MAXREMATCHES];
/* the lastmod attributes are ignored by ACL checking */
- if ( strcasecmp( mlist->ml_type, "modifiersname" ) == 0 ||
- strcasecmp( mlist->ml_type, "modifytimestamp" ) == 0 ||
- strcasecmp( mlist->ml_type, "creatorsname" ) == 0 ||
- strcasecmp( mlist->ml_type, "createtimestamp" ) == 0 )
- {
- Debug( LDAP_DEBUG_ACL, "LASTMOD attribute: %s access allowed\n",
+ if ( oc_check_operational( mlist->ml_type ) ) {
+ Debug( LDAP_DEBUG_ACL, "Operational attribute: %s access allowed\n",
mlist->ml_type, 0, 0 );
continue;
}
/* remove any attempts by the user to add these attrs */
for ( a = &e->e_attrs; *a != NULL; a = next ) {
- if ( strcasecmp( (*a)->a_type, "modifiersname" ) == 0 ||
- strcasecmp( (*a)->a_type, "modifytimestamp" ) == 0 ||
- strcasecmp( (*a)->a_type, "creatorsname" ) == 0 ||
- strcasecmp( (*a)->a_type, "createtimestamp" ) == 0 ) {
+ if ( oc_check_operational( (*a)->a_type ) ) {
tmp = *a;
*a = (*a)->a_next;
attr_free( tmp );
/* remove any attempts by the user to modify these attrs */
for ( m = modlist; *m != NULL; m = &(*m)->ml_next ) {
- if ( strcasecmp( (*m)->ml_type, "modifytimestamp" ) == 0 ||
- strcasecmp( (*m)->ml_type, "modifiersname" ) == 0 ||
- strcasecmp( (*m)->ml_type, "createtimestamp" ) == 0 ||
- strcasecmp( (*m)->ml_type, "creatorsname" ) == 0 ) {
-
+ if ( oc_check_operational( (*m)->ml_type ) ) {
Debug( LDAP_DEBUG_TRACE,
- "add_lastmods: found lastmod attr: %s\n",
+ "add_lastmods: found operational attr: %s\n",
(*m)->ml_type, 0, 0 );
tmp = *m;
*m = (*m)->ml_next;
/* remove any attempts by the user to modify these attrs */
for ( m = modlist; *m != NULL; m = &(*m)->ml_next ) {
- if ( strcasecmp( (*m)->ml_type, "modifytimestamp" ) == 0 ||
- strcasecmp( (*m)->ml_type, "modifiersname" ) == 0 ||
- strcasecmp( (*m)->ml_type, "createtimestamp" ) == 0 ||
- strcasecmp( (*m)->ml_type, "creatorsname" ) == 0 ) {
-
+ if ( oc_check_operational( (*m)->ml_type ) ) {
Debug( LDAP_DEBUG_TRACE,
- "add_lastmods: found lastmod attr: %s\n",
+ "add_lastmods: found operational attr: %s\n",
(*m)->ml_type, 0, 0 );
tmp = *m;
*m = (*m)->ml_next;
*/
int oc_schema_check LDAP_P(( Entry *e ));
+int oc_check_operational LDAP_P(( char *type ));
ObjectClass *oc_find LDAP_P((const char *ocname));
int oc_add LDAP_P((LDAP_OBJECT_CLASS *oc, const char **err));
Syntax *syn_find LDAP_P((const char *synname));
for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
regmatch_t matches[MAXREMATCHES];
- if ( attrs != NULL && ! charray_inlist( attrs, a->a_type ) ) {
- continue;
- }
-
- /* the lastmod attributes are ignored by ACL checking */
- if ( strcasecmp( a->a_type, "modifiersname" ) == 0 ||
- strcasecmp( a->a_type, "modifytimestamp" ) == 0 ||
- strcasecmp( a->a_type, "creatorsname" ) == 0 ||
- strcasecmp( a->a_type, "createtimestamp" ) == 0 )
- {
- Debug( LDAP_DEBUG_ACL, "LASTMOD attribute: %s access DEFAULT\n",
- a->a_type, 0, 0 );
- acl = NULL;
+ if ( attrs == NULL ) {
+ /* all addrs request, skip operational attributes */
+ if( oc_check_operational( a->a_type )) {
+ continue;
+ }
} else {
- acl = acl_get_applicable( be, op, e, a->a_type,
- MAXREMATCHES, matches );
+ /* specific addrs requested */
+ if ( !charray_inlist( attrs, a->a_type )) {
+ continue;
+ }
}
+ acl = acl_get_applicable( be, op, e, a->a_type,
+ MAXREMATCHES, matches );
+
if ( ! acl_access_allowed( acl, be, conn, e,
NULL, op, ACL_READ, edn, matches ) )
{
/*
* check to see if attribute is 'operational' or not.
- * this function should be externalized...
+ * this list should be extensible...
*/
-static int
+int
oc_check_operational( char *type )
{
return ( strcasecmp( type, "modifiersname" ) == 0 ||
val.bv_val = ch_strdup( "top" );
val.bv_len = strlen( val.bv_val );
- attr_merge( e, "objectclass", vals );
+ attr_merge( e, "objectClass", vals );
ldap_memfree( val.bv_val );
val.bv_val = ch_strdup( "subschema" );
val.bv_len = strlen( val.bv_val );
- attr_merge( e, "objectclass", vals );
+ attr_merge( e, "objectClass", vals );
ldap_memfree( val.bv_val );
if ( syn_schema_info( e ) ) {
projects / openldap / commitdiff