From 59ef329ca171efd2d35549218d3086d8c6bc463b Mon Sep 17 00:00:00 2001
From: Kurt Zeilenga <kurt@openldap.org>
Date: Tue, 15 Jan 2002 16:28:13 +0000
Subject: [PATCH] disallow selfwriters from deleting all values with replace

---
 servers/slapd/acl.c | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index c813eda544..56ff6c172d 100644
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -899,16 +899,20 @@ acl_check_modlist(
 
 		switch ( mlist->sml_op ) {
 		case LDAP_MOD_REPLACE:
-			if ( mlist->sml_bvalues == NULL ) {
-				if ( ! access_allowed( be, conn, op, e,
-					mlist->sml_desc, NULL, ACL_WRITE ) )
-				{
-					return( 0 );
-				}
-				break;
+			/*
+			 * We must check both permission to delete the whole
+			 * attribute and permission to add the specific attributes.
+			 * This prevents abuse from selfwriters.
+			 */
+			if ( ! access_allowed( be, conn, op, e,
+				mlist->sml_desc, NULL, ACL_WRITE ) )
+			{
+				return( 0 );
 			}
 
-			/* fall thru */
+			if ( mlist->sml_bvalues == NULL ) break;
+
+			/* fall thru to check value to add */
 
 		case LDAP_MOD_ADD:
 			assert( mlist->sml_bvalues != NULL );
-- 
2.39.2