From: Howard Chu Date: Sat, 10 Sep 2005 01:16:55 +0000 (+0000) Subject: ITS#2757 remove be_isroot checks, simplify... X-Git-Tag: OPENLDAP_REL_ENG_2_2_MP~447 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=262c44772da0aba23de5b8a69aa997b1b24c760d;p=openldap ITS#2757 remove be_isroot checks, simplify... --- diff --git a/servers/slapd/back-bdb/modrdn.c b/servers/slapd/back-bdb/modrdn.c index 0a6b8d7fd2..16025c4c48 100644 --- a/servers/slapd/back-bdb/modrdn.c +++ b/servers/slapd/back-bdb/modrdn.c @@ -29,7 +29,6 @@ bdb_modrdn( Operation *op, SlapReply *rs ) AttributeDescription *entry = slap_schema.si_ad_entry; struct berval p_dn, p_ndn; struct berval new_dn = {0, NULL}, new_ndn = {0, NULL}; - int isroot = -1; Entry *e = NULL; Entry *p = NULL; EntryInfo *ei = NULL, *eip = NULL, *nei = NULL, *neip = NULL; @@ -253,7 +252,15 @@ retry: /* transaction retry */ } if ( be_issuffix( op->o_bd, &e->e_nname ) ) { +#ifdef BDB_MULTIPLE_SUFFIXES + /* Allow renaming one suffix entry to another */ p_ndn = slap_empty_bv; +#else + /* There can only be one suffix entry */ + rs->sr_err = LDAP_NAMING_VIOLATION; + rs->sr_text = "cannot rename suffix entry"; + goto return_results; +#endif } else { dnParent( &e->e_nname, &p_ndn ); } @@ -290,101 +297,48 @@ retry: /* transaction retry */ rs->sr_text = "old entry's parent does not exist"; goto return_results; } + } else { + p = (Entry *)&slap_entry_root; + } - /* check parent for "children" acl */ - rs->sr_err = access_allowed( op, p, - children, NULL, - op->oq_modrdn.rs_newSup == NULL ? - ACL_WRITE : ACL_WDEL, - NULL ); + /* check parent for "children" acl */ + rs->sr_err = access_allowed( op, p, + children, NULL, + op->oq_modrdn.rs_newSup == NULL ? + ACL_WRITE : ACL_WDEL, + NULL ); - if ( ! rs->sr_err ) { - switch( opinfo.boi_err ) { - case DB_LOCK_DEADLOCK: - case DB_LOCK_NOTGRANTED: - goto retry; - } - - rs->sr_err = LDAP_INSUFFICIENT_ACCESS; - Debug( LDAP_DEBUG_TRACE, "no access to parent\n", 0, - 0, 0 ); - rs->sr_text = "no write access to old parent's children"; - goto return_results; - } + if ( !p_ndn.bv_len ) + p = NULL; - Debug( LDAP_DEBUG_TRACE, - LDAP_XSTRING(bdb_modrdn) ": wr to children " - "of entry %s OK\n", p_ndn.bv_val, 0, 0 ); - - if ( p_ndn.bv_val == slap_empty_bv.bv_val ) { - p_dn = slap_empty_bv; - } else { - dnParent( &e->e_name, &p_dn ); + if ( ! rs->sr_err ) { + switch( opinfo.boi_err ) { + case DB_LOCK_DEADLOCK: + case DB_LOCK_NOTGRANTED: + goto retry; } - Debug( LDAP_DEBUG_TRACE, - LDAP_XSTRING(bdb_modrdn) ": parent dn=%s\n", - p_dn.bv_val, 0, 0 ); + rs->sr_err = LDAP_INSUFFICIENT_ACCESS; + Debug( LDAP_DEBUG_TRACE, "no access to parent\n", 0, + 0, 0 ); + rs->sr_text = "no write access to old parent's children"; + goto return_results; + } + Debug( LDAP_DEBUG_TRACE, + LDAP_XSTRING(bdb_modrdn) ": wr to children " + "of entry %s OK\n", p_ndn.bv_val, 0, 0 ); + + if ( p_ndn.bv_val == slap_empty_bv.bv_val ) { + p_dn = slap_empty_bv; } else { - /* no parent, modrdn entry directly under root */ - isroot = be_isroot( op ); - if ( ! isroot ) { - if ( be_issuffix( op->o_bd, (struct berval *)&slap_empty_bv ) - || be_shadow_update( op ) ) { - - p = (Entry *)&slap_entry_root; - - /* check parent for "children" acl */ - rs->sr_err = access_allowed( op, p, - children, NULL, - op->oq_modrdn.rs_newSup == NULL ? - ACL_WRITE : ACL_WDEL, - NULL ); - - p = NULL; - - if ( ! rs->sr_err ) { - switch( opinfo.boi_err ) { - case DB_LOCK_DEADLOCK: - case DB_LOCK_NOTGRANTED: - goto retry; - } - - rs->sr_err = LDAP_INSUFFICIENT_ACCESS; - Debug( LDAP_DEBUG_TRACE, - "no access to parent\n", - 0, 0, 0 ); - rs->sr_text = "no write access to old parent"; - goto return_results; - } - - Debug( LDAP_DEBUG_TRACE, - LDAP_XSTRING(bdb_modrdn) - ": wr to children of entry \"\" OK\n", - 0, 0, 0 ); - - p_dn.bv_val = ""; - p_dn.bv_len = 0; - - Debug( LDAP_DEBUG_TRACE, - LDAP_XSTRING(bdb_modrdn) - ": parent dn=\"\"\n", - 0, 0, 0 ); - - } else { - Debug( LDAP_DEBUG_TRACE, - LDAP_XSTRING(bdb_modrdn) - ": no parent, not root " - "& \"\" is not suffix\n", - 0, 0, 0); - rs->sr_text = "no write access to old parent"; - rs->sr_err = LDAP_INSUFFICIENT_ACCESS; - goto return_results; - } - } + dnParent( &e->e_name, &p_dn ); } + Debug( LDAP_DEBUG_TRACE, + LDAP_XSTRING(bdb_modrdn) ": parent dn=%s\n", + p_dn.bv_val, 0, 0 ); + new_parent_dn = &p_dn; /* New Parent unless newSuperior given */ if ( op->oq_modrdn.rs_newSup != NULL ) { @@ -402,6 +356,15 @@ retry: /* transaction retry */ } } + /* There's a BDB_MULTIPLE_SUFFIXES case here that this code doesn't + * support. E.g., two suffixes dc=foo,dc=com and dc=bar,dc=net. + * We do not allow modDN + * dc=foo,dc=com + * newrdn dc=bar + * newsup dc=net + * and we probably should. But since MULTIPLE_SUFFIXES is deprecated + * I'm ignoring this problem for now. + */ if ( op->oq_modrdn.rs_newSup != NULL ) { if ( op->oq_modrdn.rs_newSup->bv_len ) { np_dn = op->oq_modrdn.rs_newSup; @@ -493,62 +456,35 @@ retry: /* transaction retry */ } } else { - if ( isroot == -1 ) { - isroot = be_isroot( op ); - } - np_dn = NULL; /* no parent, modrdn entry directly under root */ - if ( ! isroot ) { - if ( be_issuffix( op->o_bd, (struct berval *)&slap_empty_bv ) - || be_isupdate( op ) ) { - np = (Entry *)&slap_entry_root; - - /* check parent for "children" acl */ - rs->sr_err = access_allowed( op, np, - children, NULL, ACL_WADD, NULL ); - - np = NULL; - - if ( ! rs->sr_err ) { - switch( opinfo.boi_err ) { - case DB_LOCK_DEADLOCK: - case DB_LOCK_NOTGRANTED: - goto retry; - } - - rs->sr_err = LDAP_INSUFFICIENT_ACCESS; - Debug( LDAP_DEBUG_TRACE, - "no access to new superior\n", - 0, 0, 0 ); - rs->sr_text = - "no write access to new superior's children"; - goto return_results; + if ( be_issuffix( op->o_bd, (struct berval *)&slap_empty_bv ) + || be_isupdate( op ) ) { + np = (Entry *)&slap_entry_root; + + /* check parent for "children" acl */ + rs->sr_err = access_allowed( op, np, + children, NULL, ACL_WADD, NULL ); + + np = NULL; + + if ( ! rs->sr_err ) { + switch( opinfo.boi_err ) { + case DB_LOCK_DEADLOCK: + case DB_LOCK_NOTGRANTED: + goto retry; } - Debug( LDAP_DEBUG_TRACE, - LDAP_XSTRING(bdb_modrdn) - ": wr to children " - "of entry \"\" OK\n", - 0, 0, 0 ); - - } else { - Debug( LDAP_DEBUG_TRACE, - LDAP_XSTRING(bdb_modrdn) - ": new superior=\"\", not root " - "& \"\" is not suffix\n", - 0, 0, 0 ); - rs->sr_text = "no write access to new superior's children"; rs->sr_err = LDAP_INSUFFICIENT_ACCESS; + Debug( LDAP_DEBUG_TRACE, + "no access to new superior\n", + 0, 0, 0 ); + rs->sr_text = + "no write access to new superior's children"; goto return_results; } } - - Debug( LDAP_DEBUG_TRACE, - LDAP_XSTRING(bdb_modrdn) - ": new superior=\"\"\n", - 0, 0, 0 ); } Debug( LDAP_DEBUG_TRACE,