From b0a0ac4914045f691972f14edfaafc1e818346d0 Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Thu, 27 Dec 2007 00:51:45 +0000 Subject: [PATCH] Require compare (not read) access to entry attr for compare ops --- doc/man/man5/slapd-sock.5 | 5 +---- servers/slapd/back-sock/compare.c | 2 +- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/doc/man/man5/slapd-sock.5 b/doc/man/man5/slapd-sock.5 index d0d3472c50..99b467337d 100644 --- a/doc/man/man5/slapd-sock.5 +++ b/doc/man/man5/slapd-sock.5 @@ -186,11 +186,8 @@ to the underlying program. The .B compare operation requires -.B read (=r) -access (FIXME: wouldn't .B compare (=c) -be a more appropriate choice?) -to the +access to the .B entry pseudo-attribute of the object whose value is being asserted; diff --git a/servers/slapd/back-sock/compare.c b/servers/slapd/back-sock/compare.c index 71fd6f1778..032210a93a 100644 --- a/servers/slapd/back-sock/compare.c +++ b/servers/slapd/back-sock/compare.c @@ -48,7 +48,7 @@ sock_back_compare( e.e_private = NULL; if ( ! access_allowed( op, &e, - entry, NULL, ACL_READ, NULL ) ) + entry, NULL, ACL_COMPARE, NULL ) ) { send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL ); return -1; -- 2.39.5