From: Howard Chu <hyc@openldap.org>
Date: Thu, 27 Dec 2007 00:51:45 +0000 (+0000)
Subject: Require compare (not read) access to entry attr for compare ops
X-Git-Tag: OPENLDAP_REL_ENG_2_4_9~20^2~274
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=b0a0ac4914045f691972f14edfaafc1e818346d0;p=openldap

Require compare (not read) access to entry attr for compare ops
---

diff --git a/doc/man/man5/slapd-sock.5 b/doc/man/man5/slapd-sock.5
index d0d3472c50..99b467337d 100644
--- a/doc/man/man5/slapd-sock.5
+++ b/doc/man/man5/slapd-sock.5
@@ -186,11 +186,8 @@ to the underlying program.
 The
 .B compare
 operation requires 
-.B read (=r)
-access (FIXME: wouldn't 
 .B compare (=c)
-be a more appropriate choice?)
-to the 
+access to the 
 .B entry
 pseudo-attribute
 of the object whose value is being asserted;
diff --git a/servers/slapd/back-sock/compare.c b/servers/slapd/back-sock/compare.c
index 71fd6f1778..032210a93a 100644
--- a/servers/slapd/back-sock/compare.c
+++ b/servers/slapd/back-sock/compare.c
@@ -48,7 +48,7 @@ sock_back_compare(
 	e.e_private = NULL;
 
 	if ( ! access_allowed( op, &e,
-		entry, NULL, ACL_READ, NULL ) )
+		entry, NULL, ACL_COMPARE, NULL ) )
 	{
 		send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
 		return -1;