From 537a4cae02311497bbf6c31d27c8eb63f71d7cfe Mon Sep 17 00:00:00 2001
From: Pierangelo Masarati <ando@openldap.org>
Date: Tue, 20 Apr 2004 14:42:48 +0000
Subject: [PATCH] global ACLs were not used because op->o_bd is set to
 &backends[0] if NULL

---
 servers/slapd/acl.c | 32 ++++++++++++++++++++------------
 1 file changed, 20 insertions(+), 12 deletions(-)

diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index 418387146a..a9db8c393b 100644
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -132,6 +132,10 @@ static int aci_match_set ( struct berval *subj, Operation *op,
  * returns:
  *		0	access denied
  *		1	access granted
+ *
+ * Notes:
+ * - can be legally called with op == NULL
+ * - can be legally called with op->o_bd == NULL
  */
 
 int
@@ -147,8 +151,7 @@ access_allowed_mask(
 	int				ret = 1;
 	int				count;
 	AccessControl			*a = NULL;
-	Backend *be;
-	int	be_null = 0;
+	Backend *be,	*old_be;
 
 #ifdef LDAP_DEBUG
 	char accessmaskbuf[ACCESSMASK_MAXLEN];
@@ -211,10 +214,15 @@ access_allowed_mask(
 		goto done;
 	}
 
-	be = op->o_bd;
+	be = old_be = op->o_bd;
 	if ( be == NULL ) {
+		/*
+		 * FIXME: is this needed by slapi only?  We might find 
+		 * a better way to pass the appropriate information
+		 * that is relevant at this stage, e.g. a fake BackendDB
+		 * with global info
+		 */
 		be = &backends[0];
-		be_null = 1;
 		op->o_bd = be;
 	}
 	assert( be != NULL );
@@ -228,9 +236,10 @@ access_allowed_mask(
 		}
 	}
 #endif /* LDAP_SLAPI */
+	op->o_bd = old_be;
 
 	/* grant database root access */
-	if ( be != NULL && be_isroot( op ) ) {
+	if ( old_be && be_isroot( op ) ) {
 #ifdef NEW_LOGGING
 		LDAP_LOG( ACL, INFO, 
 			"access_allowed: conn %lu root access granted\n", 
@@ -269,27 +278,27 @@ access_allowed_mask(
 	}
 
 	/* use backend default access if no backend acls */
-	if( be != NULL && be->be_acl == NULL ) {
+	if( old_be != NULL && old_be->be_acl == NULL ) {
 #ifdef NEW_LOGGING
 		LDAP_LOG( ACL, DETAIL1, 
 			"access_allowed: backend default %s access %s to \"%s\"\n",
 		    access2str( access ),
-		    be->be_dfltaccess >= access ? "granted" : "denied", 
+		    old_be->be_dfltaccess >= access ? "granted" : "denied", 
 			op->o_dn.bv_val ? op->o_dn.bv_val : "(anonymous)" );
 #else
 		Debug( LDAP_DEBUG_ACL,
 			"=> access_allowed: backend default %s access %s to \"%s\"\n",
 			access2str( access ),
-			be->be_dfltaccess >= access ? "granted" : "denied",
+			old_be->be_dfltaccess >= access ? "granted" : "denied",
 			op->o_dn.bv_val ? op->o_dn.bv_val : "(anonymous)" );
 #endif
-		ret = be->be_dfltaccess >= access;
+		ret = old_be->be_dfltaccess >= access;
 
 		if ( maskp ) {
 			int	i;
 
 			mask = ACL_PRIV_LEVEL;
-			for ( i = ACL_NONE; i <= be->be_dfltaccess; i++ ) {
+			for ( i = ACL_NONE; i <= old_be->be_dfltaccess; i++ ) {
 				mask |= ACL_ACCESS2PRIV( i );
 			}
 		}
@@ -299,7 +308,7 @@ access_allowed_mask(
 #ifdef notdef
 	/* be is always non-NULL */
 	/* use global default access if no global acls */
-	} else if ( be == NULL && global_acl == NULL ) {
+	} else if ( old_be == NULL && global_acl == NULL ) {
 #ifdef NEW_LOGGING
 		LDAP_LOG( ACL, DETAIL1, 
 			"access_allowed: global default %s access %s to \"%s\"\n",
@@ -445,7 +454,6 @@ done:
 		}
 		state->as_recorded |= ACL_STATE_RECORDED;
 	}
-	if (be_null) op->o_bd = NULL;
 	if ( maskp ) *maskp = mask;
 	return ret;
 }
-- 
2.39.5