From: Pierangelo Masarati Date: Tue, 20 Apr 2004 14:42:48 +0000 (+0000) Subject: global ACLs were not used because op->o_bd is set to &backends[0] if NULL X-Git-Tag: OPENDLAP_REL_ENG_2_2_MP~463 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=537a4cae02311497bbf6c31d27c8eb63f71d7cfe;p=openldap global ACLs were not used because op->o_bd is set to &backends[0] if NULL --- diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index 418387146a..a9db8c393b 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -132,6 +132,10 @@ static int aci_match_set ( struct berval *subj, Operation *op, * returns: * 0 access denied * 1 access granted + * + * Notes: + * - can be legally called with op == NULL + * - can be legally called with op->o_bd == NULL */ int @@ -147,8 +151,7 @@ access_allowed_mask( int ret = 1; int count; AccessControl *a = NULL; - Backend *be; - int be_null = 0; + Backend *be, *old_be; #ifdef LDAP_DEBUG char accessmaskbuf[ACCESSMASK_MAXLEN]; @@ -211,10 +214,15 @@ access_allowed_mask( goto done; } - be = op->o_bd; + be = old_be = op->o_bd; if ( be == NULL ) { + /* + * FIXME: is this needed by slapi only? We might find + * a better way to pass the appropriate information + * that is relevant at this stage, e.g. a fake BackendDB + * with global info + */ be = &backends[0]; - be_null = 1; op->o_bd = be; } assert( be != NULL ); @@ -228,9 +236,10 @@ access_allowed_mask( } } #endif /* LDAP_SLAPI */ + op->o_bd = old_be; /* grant database root access */ - if ( be != NULL && be_isroot( op ) ) { + if ( old_be && be_isroot( op ) ) { #ifdef NEW_LOGGING LDAP_LOG( ACL, INFO, "access_allowed: conn %lu root access granted\n", @@ -269,27 +278,27 @@ access_allowed_mask( } /* use backend default access if no backend acls */ - if( be != NULL && be->be_acl == NULL ) { + if( old_be != NULL && old_be->be_acl == NULL ) { #ifdef NEW_LOGGING LDAP_LOG( ACL, DETAIL1, "access_allowed: backend default %s access %s to \"%s\"\n", access2str( access ), - be->be_dfltaccess >= access ? "granted" : "denied", + old_be->be_dfltaccess >= access ? "granted" : "denied", op->o_dn.bv_val ? op->o_dn.bv_val : "(anonymous)" ); #else Debug( LDAP_DEBUG_ACL, "=> access_allowed: backend default %s access %s to \"%s\"\n", access2str( access ), - be->be_dfltaccess >= access ? "granted" : "denied", + old_be->be_dfltaccess >= access ? "granted" : "denied", op->o_dn.bv_val ? op->o_dn.bv_val : "(anonymous)" ); #endif - ret = be->be_dfltaccess >= access; + ret = old_be->be_dfltaccess >= access; if ( maskp ) { int i; mask = ACL_PRIV_LEVEL; - for ( i = ACL_NONE; i <= be->be_dfltaccess; i++ ) { + for ( i = ACL_NONE; i <= old_be->be_dfltaccess; i++ ) { mask |= ACL_ACCESS2PRIV( i ); } } @@ -299,7 +308,7 @@ access_allowed_mask( #ifdef notdef /* be is always non-NULL */ /* use global default access if no global acls */ - } else if ( be == NULL && global_acl == NULL ) { + } else if ( old_be == NULL && global_acl == NULL ) { #ifdef NEW_LOGGING LDAP_LOG( ACL, DETAIL1, "access_allowed: global default %s access %s to \"%s\"\n", @@ -445,7 +454,6 @@ done: } state->as_recorded |= ACL_STATE_RECORDED; } - if (be_null) op->o_bd = NULL; if ( maskp ) *maskp = mask; return ret; }