From: Howard Chu <hyc@openldap.org>
Date: Tue, 13 Jun 2006 03:19:07 +0000 (+0000)
Subject: ITS#4587, selfwrite should apply to more than just USERS acl's
X-Git-Tag: OPENLDAP_REL_ENG_2_4_3ALPHA~9^2~130
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=adba963c324e01b66ae84be47778ea97f725c398;p=openldap

ITS#4587, selfwrite should apply to more than just USERS acl's
---

diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index 3a3568f011..0f62341788 100644
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -690,6 +690,27 @@ acl_mask_dn(
 	 * value is set in a_dn_style; however, the string
 	 * is maintaned in a_dn_pat.
 	 */
+	if ( b->a_self ) {
+		const char *dummy;
+		int rc, match = 0;
+
+		/* must have DN syntax */
+		if ( desc->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName ) return 1;
+
+		/* check if the target is an attribute. */
+		if ( val == NULL ) return 1;
+
+		/* target is attribute, check if the attribute value
+		 * is the op dn.
+		 */
+		rc = value_match( &match, desc,
+			desc->ad_type->sat_equality, 0,
+			val, opndn, &dummy );
+		/* on match error or no match, fail the ACL clause */
+		if ( rc != LDAP_SUCCESS || match != 0 )
+			return 1;
+	}
+
 	if ( b->a_style == ACL_STYLE_ANONYMOUS ) {
 		if ( !BER_BVISEMPTY( opndn ) ) {
 			return 1;
@@ -700,27 +721,6 @@ acl_mask_dn(
 			return 1;
 		}
 
-		if ( b->a_self ) {
-			const char *dummy;
-			int rc, match = 0;
-
-			/* must have DN syntax */
-			if ( desc->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName ) return 1;
-
-			/* check if the target is an attribute. */
-			if ( val == NULL ) return 1;
-
-			/* target is attribute, check if the attribute value
-			 * is the op dn.
-			 */
-			rc = value_match( &match, desc,
-				desc->ad_type->sat_equality, 0,
-				val, opndn, &dummy );
-			/* on match error or no match, fail the ACL clause */
-			if ( rc != LDAP_SUCCESS || match != 0 )
-				return 1;
-		}
-
 	} else if ( b->a_style == ACL_STYLE_SELF ) {
 		struct berval	ndn, selfndn;
 		int		level;