From 7a5b406cf17c2620432cd617dc48355ed574793f Mon Sep 17 00:00:00 2001 From: Emmanuel Dreyfus Date: Mon, 29 Sep 2008 22:08:29 +0000 Subject: [PATCH] Make sur attribute ACL are evaluated on ADD operations (see ITS#4556) --- servers/slapd/back-bdb/add.c | 18 ++++++++++++++++++ servers/slapd/back-ndb/add.cpp | 13 +++++++++++++ servers/slapd/bconfig.c | 9 +++++++++ 3 files changed, 40 insertions(+) diff --git a/servers/slapd/back-bdb/add.c b/servers/slapd/back-bdb/add.c index d6fba1bdd2..b9f7fedc78 100644 --- a/servers/slapd/back-bdb/add.c +++ b/servers/slapd/back-bdb/add.c @@ -299,6 +299,24 @@ retry: /* transaction retry */ goto return_results;; } + /* + * Check ACL for attribute write access + */ + if (!acl_check_modlist(op, oe, op->ora_modlist)) { + switch( opinfo.boi_err ) { + case DB_LOCK_DEADLOCK: + case DB_LOCK_NOTGRANTED: + goto retry; + } + + Debug( LDAP_DEBUG_TRACE, + LDAP_XSTRING(bdb_add) ": no write access to attribute\n", + 0, 0, 0 ); + rs->sr_err = LDAP_INSUFFICIENT_ACCESS; + rs->sr_text = "no write access to attribute"; + goto return_results;; + } + if ( eid == NOID ) { rs->sr_err = bdb_next_id( op->o_bd, &eid ); if( rs->sr_err != 0 ) { diff --git a/servers/slapd/back-ndb/add.cpp b/servers/slapd/back-ndb/add.cpp index 8a5ca68fec..cd7bffe129 100644 --- a/servers/slapd/back-ndb/add.cpp +++ b/servers/slapd/back-ndb/add.cpp @@ -223,6 +223,19 @@ is_ref: p.e_attrs = NULL; goto return_results;; } + /* + * Check ACL for attribute write access + */ + if (!acl_check_modlist(op, op->ora_e, op->ora_modlist)) { + Debug( LDAP_DEBUG_TRACE, + LDAP_XSTRING(bdb_add) ": no write access to attribute\n", + 0, 0, 0 ); + rs->sr_err = LDAP_INSUFFICIENT_ACCESS; + rs->sr_text = "no write access to attribute"; + goto return_results;; + } + + /* acquire entry ID */ if ( op->ora_e->e_id == NOID ) { rs->sr_err = ndb_next_id( op->o_bd, NA.ndb, &op->ora_e->e_id ); diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c index d8cae7fb3b..6aacf27fcb 100644 --- a/servers/slapd/bconfig.c +++ b/servers/slapd/bconfig.c @@ -4633,6 +4633,15 @@ config_back_add( Operation *op, SlapReply *rs ) goto out; } + /* + * Check for attribute ACL + */ + if ( !acl_check_modlist( op, op->ora_e, op->orm_modlist )) { + rs->sr_err = LDAP_INSUFFICIENT_ACCESS; + rs->sr_text = "no write access to attribute"; + goto out; + } + cfb = (CfBackInfo *)op->o_bd->be_private; /* add opattrs for syncprov */ -- 2.39.5