From 0cf9b3790896b032dfb5536cc1e46c4f1eaac4ec Mon Sep 17 00:00:00 2001
From: Pierangelo Masarati <ando@openldap.org>
Date: Fri, 16 Nov 2001 12:24:22 +0000
Subject: [PATCH] non-root modrdn of entries rooted at '' checks children write
 permission (completes previous add/delete fix; needs be ported to back-bdb)

---
 servers/slapd/back-ldbm/modrdn.c | 50 +++++++++++++++++++++++++-------
 1 file changed, 40 insertions(+), 10 deletions(-)

diff --git a/servers/slapd/back-ldbm/modrdn.c b/servers/slapd/back-ldbm/modrdn.c
index e93f762a6d..545f452ad4 100644
--- a/servers/slapd/back-ldbm/modrdn.c
+++ b/servers/slapd/back-ldbm/modrdn.c
@@ -204,20 +204,50 @@ ldbm_back_modrdn(
 #endif
 
 	} else {
-		/* no parent, modrdn entry directly under root */
-		if( ! be_isroot( be, op->o_ndn ) && ! be_issuffix( be, "" ) ) {
+		/* no parent, must be root to modify rdn */
+		if( ! be_isroot( be, op->o_ndn ) ) {
+			if ( be_issuffix( be, "" ) ) {
+				static const Entry rootp = { NOID, "", "", NULL, NULL };
+				p = (Entry *)&rootp;
+				
+				rc = access_allowed( be, conn, op, p,
+						children, NULL, ACL_WRITE );
+				p = NULL;
+								
+				/* check parent for "children" acl */
+				if ( ! rc ) {
 #ifdef NEW_LOGGING
-			LDAP_LOG(( "backend", LDAP_LEVEL_INFO,
-				   "ldbm_back_modrdn: (%s) no parent & not a root.\n",
-				   e->e_dn ));
+					LDAP_LOG(( "backend", LDAP_LEVEL_ERR,
+						"ldbm_back_modrdn: no access "
+						"to parent of ("")\n" ));
 #else
-			Debug( LDAP_DEBUG_TRACE, "no parent & not root\n",
-				0, 0, 0);
+					Debug( LDAP_DEBUG_TRACE,
+						"<=- ldbm_back_modrdn: no "
+						"access to parent\n", 0, 0, 0 );
 #endif
 
-			send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
-				NULL, NULL, NULL, NULL );
-			goto return_results;
+					send_ldap_result( conn, op, 
+						LDAP_INSUFFICIENT_ACCESS,
+						NULL, NULL, NULL, NULL );
+					goto return_results;
+				}
+
+			} else {
+#ifdef NEW_LOGGING
+				LDAP_LOG(( "backend", LDAP_LEVEL_ERR,
+					   "ldbm_back_modrdn: (%s) has no "
+					   "parent & not a root.\n", dn ));
+#else
+				Debug( LDAP_DEBUG_TRACE,
+					"<=- ldbm_back_modrdn: no parent & "
+					"not root\n", 0, 0, 0);
+#endif
+
+				send_ldap_result( conn, op, 
+					LDAP_INSUFFICIENT_ACCESS,
+					NULL, NULL, NULL, NULL );
+				goto return_results;
+			}
 		}
 
 		ldap_pvt_thread_mutex_lock(&li->li_root_mutex);
-- 
2.39.5