From: Kurt Zeilenga Date: Fri, 4 Oct 2002 23:26:28 +0000 (+0000) Subject: Add "entry" ACL checks for add/delete/rename ops X-Git-Tag: NO_SLAP_OP_BLOCKS~926 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=9fbcc90bd5578c85fd1e3d5845a3ef6121cefc7a;p=openldap Add "entry" ACL checks for add/delete/rename ops --- diff --git a/servers/slapd/back-bdb/add.c b/servers/slapd/back-bdb/add.c index d00d88d0c5..76fac90435 100644 --- a/servers/slapd/back-bdb/add.c +++ b/servers/slapd/back-bdb/add.c @@ -28,6 +28,7 @@ bdb_add( char textbuf[SLAP_TEXT_BUFLEN]; size_t textlen = sizeof textbuf; AttributeDescription *children = slap_schema.si_ad_children; + AttributeDescription *entry = slap_schema.si_ad_entry; DB_TXN *ltid = NULL; struct bdb_op_info opinfo; #ifdef BDB_SUBENTRIES @@ -86,6 +87,11 @@ bdb_add( if( 0 ) { retry: /* transaction retry */ + if( p ) { + /* free parent and reader lock */ + bdb_unlocked_cache_return_entry_r( &bdb->bi_cache, p ); + p = NULL; + } rc = TXN_ABORT( ltid ); ltid = NULL; op->o_private = NULL; @@ -208,9 +214,6 @@ retry: /* transaction retry */ switch( opinfo.boi_err ) { case DB_LOCK_DEADLOCK: case DB_LOCK_NOTGRANTED: - /* free parent and reader lock */ - bdb_unlocked_cache_return_entry_r( &bdb->bi_cache, p ); - p = NULL; goto retry; } @@ -298,12 +301,14 @@ retry: /* transaction retry */ */ if ( !be_isroot( be, &op->o_ndn )) { if ( be_issuffix( be, (struct berval *)&slap_empty_bv ) - || be_isupdate( be, &op->o_ndn ) ) { + || be_isupdate( be, &op->o_ndn ) ) + { p = (Entry *)&slap_entry_root; /* check parent for "children" acl */ rc = access_allowed( be, conn, op, p, children, NULL, ACL_WRITE, NULL ); + p = NULL; switch( opinfo.boi_err ) { @@ -366,6 +371,28 @@ retry: /* transaction retry */ #endif } + rc = access_allowed( be, conn, op, e, + entry, NULL, ACL_WRITE, NULL ); + + switch( opinfo.boi_err ) { + case DB_LOCK_DEADLOCK: + case DB_LOCK_NOTGRANTED: + goto retry; + } + + if ( ! rc ) { +#ifdef NEW_LOGGING + LDAP_LOG ( OPERATION, DETAIL1, + "bdb_add: no write access to entry\n", 0, 0, 0 ); +#else + Debug( LDAP_DEBUG_TRACE, "bdb_add: no write access to entry\n", + 0, 0, 0 ); +#endif + rc = LDAP_INSUFFICIENT_ACCESS; + text = "no write access to entry"; + goto return_results;; + } + /* dn2id index */ rc = bdb_dn2id_add( be, ltid, &pdn, e ); if ( rc != 0 ) { diff --git a/servers/slapd/back-bdb/delete.c b/servers/slapd/back-bdb/delete.c index 6052c6ea91..ad5f1fe278 100644 --- a/servers/slapd/back-bdb/delete.c +++ b/servers/slapd/back-bdb/delete.c @@ -31,6 +31,7 @@ bdb_delete( const char *text; int manageDSAit = get_manageDSAit( op ); AttributeDescription *children = slap_schema.si_ad_children; + AttributeDescription *entry = slap_schema.si_ad_entry; DB_TXN *ltid = NULL; struct bdb_op_info opinfo; @@ -185,6 +186,7 @@ retry: /* transaction retry */ /* check parent for "children" acl */ rc = access_allowed( be, conn, op, p, children, NULL, ACL_WRITE, NULL ); + p = NULL; switch( opinfo.boi_err ) { @@ -231,6 +233,15 @@ retry: /* transaction retry */ #endif } + rc = access_allowed( be, conn, op, e, + entry, NULL, ACL_WRITE, NULL ); + + switch( opinfo.boi_err ) { + case DB_LOCK_DEADLOCK: + case DB_LOCK_NOTGRANTED: + goto retry; + } + /* get entry for read/modify/write */ rc = bdb_dn2entry_w( be, ltid, ndn, &e, &matched, DB_RMW, locker, &lock ); diff --git a/servers/slapd/back-bdb/modrdn.c b/servers/slapd/back-bdb/modrdn.c index 54b6de974e..ba920bc690 100644 --- a/servers/slapd/back-bdb/modrdn.c +++ b/servers/slapd/back-bdb/modrdn.c @@ -28,6 +28,7 @@ bdb_modrdn( { struct bdb_info *bdb = (struct bdb_info *) be->be_private; AttributeDescription *children = slap_schema.si_ad_children; + AttributeDescription *entry = slap_schema.si_ad_entry; struct berval p_dn, p_ndn; struct berval new_dn = {0, NULL}, new_ndn = {0, NULL}; int isroot = -1; @@ -536,7 +537,31 @@ retry: /* transaction retry */ new_parent_dn = np_dn; } - + + /* check write on old entry */ + rc = access_allowed( be, conn, op, e, + entry, NULL, ACL_WRITE, NULL ); + + switch( opinfo.boi_err ) { + case DB_LOCK_DEADLOCK: + case DB_LOCK_NOTGRANTED: + goto retry; + } + + if ( rc ) { +#ifdef NEW_LOGGING + LDAP_LOG ( OPERATION, ERR, + "==>bdb_modrdn: no access to entry\n", 0, 0, 0 ); +#else + Debug( LDAP_DEBUG_TRACE, "no access to entry\n", 0, + 0, 0 ); +#endif + send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, + NULL, NULL, NULL, NULL ); + goto return_results; + } + + /* Build target dn and make sure target entry doesn't exist already. */ build_new_dn( &new_dn, new_parent_dn, newrdn );