From: Kurt Zeilenga <kurt@openldap.org>
Date: Thu, 27 Jan 2000 18:35:36 +0000 (+0000)
Subject: Don't exclude no-user-modification attributes from ACL checks
X-Git-Tag: LDBM_PRE_GIANT_RWLOCK~3236
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=df712b8597aa27613efc904fc85d7ac562d627a0;p=openldap

Don't exclude no-user-modification attributes from ACL checks
unless access requested is WRITE.  This allows you to apply
an ACL to limit search/reading of no-user-modification attributes.
Writes, of course, are always prohibited (by do_add, do_modify).
---

diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index f50005d09f..cc0802a211 100644
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -98,8 +98,12 @@ access_allowed(
 		return 1;
 	}
 
-	/* no user modify operational attributes are ignored by ACL checking */
-	if ( oc_check_no_usermod_attr( attr ) ) {
+	/*
+	 * no-user-modification operational attributes are ignored
+	 * by ACL_WRITE checking as any found here are not provided
+	 * by the user
+	 */
+	if ( access >= ACL_WRITE && oc_check_no_usermod_attr( attr ) ) {
  		Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:"
 			" %s access granted\n",
 			attr, 0, 0 );
@@ -623,9 +627,14 @@ acl_check_modlist(
 	}
 
 	for ( ; mlist != NULL; mlist = mlist->ml_next ) {
-		/* the lastmod attributes are ignored by ACL checking */
+		/*
+		 * no-user-modification operational attributes are ignored
+		 * by ACL_WRITE checking as any found here are not provided
+		 * by the user
+		 */
 		if ( oc_check_no_usermod_attr( mlist->ml_type ) ) {
-			Debug( LDAP_DEBUG_ACL, "Operational attribute: %s access allowed\n",
+ 			Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:"
+				" modify access granted\n",
 				mlist->ml_type, 0, 0 );
 			continue;
 		}