From cb73d243fbd2e249e37ad05a57a27059dba7e025 Mon Sep 17 00:00:00 2001
From: Kurt Zeilenga <kurt@openldap.org>
Date: Mon, 7 Oct 2002 19:19:29 +0000
Subject: [PATCH] More "entry" level ACLs for entry add, delete, and rename.

---
 servers/slapd/back-bdb/add.c      |  3 ++
 servers/slapd/back-bdb/delete.c   | 11 +++++---
 servers/slapd/back-ldbm/add.c     | 46 +++++++++++++++++++++----------
 servers/slapd/back-ldbm/delete.c  | 30 ++++++++++++++++----
 servers/slapd/back-ldbm/modrdn.c  | 21 ++++++++++++++
 servers/slapd/back-shell/add.c    |  9 ++++++
 servers/slapd/back-shell/delete.c | 19 +++++++++++++
 servers/slapd/back-shell/modrdn.c | 19 +++++++++++++
 8 files changed, 134 insertions(+), 24 deletions(-)

diff --git a/servers/slapd/back-bdb/add.c b/servers/slapd/back-bdb/add.c
index e2e4e2afc8..76fac90435 100644
--- a/servers/slapd/back-bdb/add.c
+++ b/servers/slapd/back-bdb/add.c
@@ -226,6 +226,7 @@ retry:	/* transaction retry */
 				0, 0, 0 );
 #endif
 			rc = LDAP_INSUFFICIENT_ACCESS;
+			text = "no write access to parent";
 			goto return_results;;
 		}
 
@@ -326,6 +327,7 @@ retry:	/* transaction retry */
 						0, 0, 0 );
 #endif
 					rc = LDAP_INSUFFICIENT_ACCESS;
+					text = "no write access to parent";
 					goto return_results;;
 				}
 
@@ -387,6 +389,7 @@ retry:	/* transaction retry */
 			0, 0, 0 );
 #endif
 		rc = LDAP_INSUFFICIENT_ACCESS;
+		text = "no write access to entry";
 		goto return_results;;
 	}
 
diff --git a/servers/slapd/back-bdb/delete.c b/servers/slapd/back-bdb/delete.c
index 045e5e28bf..5a19eb1e59 100644
--- a/servers/slapd/back-bdb/delete.c
+++ b/servers/slapd/back-bdb/delete.c
@@ -166,13 +166,14 @@ retry:	/* transaction retry */
 		if ( !rc  ) {
 #ifdef NEW_LOGGING
 			LDAP_LOG ( OPERATION, DETAIL1, 
-				"<=- bdb_delete: no access to parent\n", 0, 0, 0 );
+				"<=- bdb_delete: no write access to parent\n", 0, 0, 0 );
 #else
 			Debug( LDAP_DEBUG_TRACE,
-				"<=- bdb_delete: no access to parent\n",
+				"<=- bdb_delete: no write access to parent\n",
 				0, 0, 0 );
 #endif
 			rc = LDAP_INSUFFICIENT_ACCESS;
+			text = "no write access to parent";
 			goto return_results;
 		}
 
@@ -205,6 +206,7 @@ retry:	/* transaction retry */
 						"to parent\n", 0, 0, 0 );
 #endif
 					rc = LDAP_INSUFFICIENT_ACCESS;
+					text = "no write access to parent";
 					goto return_results;
 				}
 
@@ -300,13 +302,14 @@ retry:	/* transaction retry */
 	if ( !rc  ) {
 #ifdef NEW_LOGGING
 		LDAP_LOG ( OPERATION, DETAIL1, 
-			"<=- bdb_delete: no access to entry\n", 0, 0, 0 );
+			"<=- bdb_delete: no write access to entry\n", 0, 0, 0 );
 #else
 		Debug( LDAP_DEBUG_TRACE,
-			"<=- bdb_delete: no access to entry\n",
+			"<=- bdb_delete: no write access to entry\n",
 			0, 0, 0 );
 #endif
 		rc = LDAP_INSUFFICIENT_ACCESS;
+		text = "no write access to entry";
 		goto return_results;
 	}
 
diff --git a/servers/slapd/back-ldbm/add.c b/servers/slapd/back-ldbm/add.c
index 65d1d11370..d6ac6fb83d 100644
--- a/servers/slapd/back-ldbm/add.c
+++ b/servers/slapd/back-ldbm/add.c
@@ -31,6 +31,7 @@ ldbm_back_add(
 	ID               id = NOID;
 	const char	*text = NULL;
 	AttributeDescription *children = slap_schema.si_ad_children;
+	AttributeDescription *entry = slap_schema.si_ad_entry;
 	char textbuf[SLAP_TEXT_BUFLEN];
 	size_t textlen = sizeof textbuf;
 
@@ -40,23 +41,8 @@ ldbm_back_add(
 	Debug(LDAP_DEBUG_ARGS, "==> ldbm_back_add: %s\n", e->e_dn, 0, 0);
 #endif
 
-	/* grab giant lock for writing */
-	ldap_pvt_thread_rdwr_wlock(&li->li_giant_rwlock);
-
-	if ( ( rc = dn2id( be, &e->e_nname, &id ) ) || id != NOID ) {
-		/* if (rc) something bad happened to ldbm cache */
-		ldap_pvt_thread_rdwr_wunlock(&li->li_giant_rwlock);
-		send_ldap_result( conn, op, 
-			rc ? LDAP_OTHER : LDAP_ALREADY_EXISTS,
-			NULL, NULL, NULL, NULL );
-		return( -1 );
-	}
-
 	rc = entry_schema_check( be, e, NULL, &text, textbuf, textlen );
-
 	if ( rc != LDAP_SUCCESS ) {
-		ldap_pvt_thread_rdwr_wunlock(&li->li_giant_rwlock);
-
 #ifdef NEW_LOGGING
 		LDAP_LOG( BACK_LDBM, ERR, 
 			"ldbm_back_add: entry (%s) failed schema check.\n", e->e_dn, 0, 0 );
@@ -70,6 +56,36 @@ ldbm_back_add(
 		return( -1 );
 	}
 
+	if ( ! access_allowed( be, conn, op, e,
+		entry, NULL, ACL_WRITE, NULL ) )
+	{
+#ifdef NEW_LOGGING
+		LDAP_LOG( BACK_LDBM, ERR, 
+			"ldbm_back_add: No write access to entry (%s).\n", 
+			e->e_dn, 0, 0 );
+#else
+		Debug( LDAP_DEBUG_TRACE, "no write access to entry\n", 0,
+		    0, 0 );
+#endif
+
+		send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
+		    NULL, "no write access to entry", NULL, NULL );
+
+		return -1;
+	}
+
+	/* grab giant lock for writing */
+	ldap_pvt_thread_rdwr_wlock(&li->li_giant_rwlock);
+
+	if ( ( rc = dn2id( be, &e->e_nname, &id ) ) || id != NOID ) {
+		/* if (rc) something bad happened to ldbm cache */
+		ldap_pvt_thread_rdwr_wunlock(&li->li_giant_rwlock);
+		send_ldap_result( conn, op, 
+			rc ? LDAP_OTHER : LDAP_ALREADY_EXISTS,
+			NULL, NULL, NULL, NULL );
+		return( -1 );
+	}
+
 	/*
 	 * Get the parent dn and see if the corresponding entry exists.
 	 * If the parent does not exist, only allow the "root" user to
diff --git a/servers/slapd/back-ldbm/delete.c b/servers/slapd/back-ldbm/delete.c
index d33e957f67..1622554140 100644
--- a/servers/slapd/back-ldbm/delete.c
+++ b/servers/slapd/back-ldbm/delete.c
@@ -32,6 +32,7 @@ ldbm_back_delete(
 	int	rc = -1;
 	int		manageDSAit = get_manageDSAit( op );
 	AttributeDescription *children = slap_schema.si_ad_children;
+	AttributeDescription *entry = slap_schema.si_ad_entry;
 
 #ifdef NEW_LOGGING
 	LDAP_LOG( BACK_LDBM, ENTRY, "ldbm_back_delete: %s\n", dn->bv_val, 0, 0 );
@@ -78,6 +79,27 @@ ldbm_back_delete(
 		return( -1 );
 	}
 
+	/* check entry for "entry" acl */
+	if ( ! access_allowed( be, conn, op, e,
+		entry, NULL, ACL_WRITE, NULL ) )
+	{
+#ifdef NEW_LOGGING
+		LDAP_LOG( BACK_LDBM, ERR, 
+			"ldbm_back_delete: no write access to entry of (%s)\n", 
+			dn->bv_val, 0, 0 );
+#else
+		Debug( LDAP_DEBUG_TRACE,
+			"<=- ldbm_back_delete: no write access to entry\n", 0,
+			0, 0 );
+#endif
+
+		send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
+			NULL, "no write access to entry", NULL, NULL );
+
+		rc = 1;
+		goto return_results;
+	}
+
     if ( !manageDSAit && is_entry_referral( e ) ) {
 		/* parent is a referral, don't allow add */
 		/* parent is an alias, don't allow add */
@@ -101,7 +123,6 @@ ldbm_back_delete(
 		goto return_results;
 	}
 
-
 	if ( has_children( be, e ) ) {
 #ifdef NEW_LOGGING
 		LDAP_LOG( BACK_LDBM, ERR, 
@@ -149,7 +170,7 @@ ldbm_back_delete(
 #endif
 
 			send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
-				NULL, NULL, NULL, NULL );
+				NULL, "no write access to parent", NULL, NULL );
 			goto return_results;
 		}
 
@@ -175,9 +196,8 @@ ldbm_back_delete(
 						"access to parent\n", 0, 0, 0 );
 #endif
 
-					send_ldap_result( conn, op, 
-						LDAP_INSUFFICIENT_ACCESS,
-						NULL, NULL, NULL, NULL );
+					send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
+						NULL, "no write access to parent", NULL, NULL );
 					goto return_results;
 				}
 
diff --git a/servers/slapd/back-ldbm/modrdn.c b/servers/slapd/back-ldbm/modrdn.c
index 5ba4e9afb6..f71cfc6150 100644
--- a/servers/slapd/back-ldbm/modrdn.c
+++ b/servers/slapd/back-ldbm/modrdn.c
@@ -47,6 +47,7 @@ ldbm_back_modrdn(
 )
 {
 	AttributeDescription *children = slap_schema.si_ad_children;
+	AttributeDescription *entry = slap_schema.si_ad_entry;
 	struct ldbminfo	*li = (struct ldbminfo *) be->be_private;
 	struct berval	p_dn, p_ndn;
 	struct berval	new_dn = { 0, NULL}, new_ndn = { 0, NULL };
@@ -115,6 +116,26 @@ ldbm_back_modrdn(
 		return( -1 );
 	}
 
+	/* check entry for "entry" acl */
+	if ( ! access_allowed( be, conn, op, e,
+		entry, NULL, ACL_WRITE, NULL ) )
+	{
+#ifdef NEW_LOGGING
+		LDAP_LOG( BACK_LDBM, ERR, 
+			"ldbm_back_modrdn: no write access to entry of (%s)\n", 
+			dn->bv_val, 0, 0 );
+#else
+		Debug( LDAP_DEBUG_TRACE,
+			"<=- ldbm_back_modrdn: no write access to entry\n", 0,
+			0, 0 );
+#endif
+
+		send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
+			NULL, "no write access to entry", NULL, NULL );
+
+		goto return_results;
+	}
+
 	if (!manageDSAit && is_entry_referral( e ) ) {
 		/* parent is a referral, don't allow add */
 		/* parent is an alias, don't allow add */
diff --git a/servers/slapd/back-shell/add.c b/servers/slapd/back-shell/add.c
index 2eb06b53ad..ae65d4cf25 100644
--- a/servers/slapd/back-shell/add.c
+++ b/servers/slapd/back-shell/add.c
@@ -24,6 +24,7 @@ shell_back_add(
 )
 {
 	struct shellinfo	*si = (struct shellinfo *) be->be_private;
+	AttributeDescription *entry = slap_schema.si_ad_entry;
 	FILE			*rfp, *wfp;
 	int			len;
 
@@ -33,6 +34,14 @@ shell_back_add(
 		return( -1 );
 	}
 
+	if ( ! access_allowed( be, conn, op, e,
+		entry, NULL, ACL_WRITE, NULL ) )
+	{
+		send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
+			NULL, NULL, NULL, NULL );
+		return -1;
+	}
+
 	if ( (op->o_private = (void *) forkandexec( si->si_add, &rfp, &wfp )) == (void *) -1 ) {
 		send_ldap_result( conn, op, LDAP_OTHER, NULL,
 		    "could not fork/exec", NULL, NULL );
diff --git a/servers/slapd/back-shell/delete.c b/servers/slapd/back-shell/delete.c
index 73dd65e52f..eb6c977b98 100644
--- a/servers/slapd/back-shell/delete.c
+++ b/servers/slapd/back-shell/delete.c
@@ -25,6 +25,8 @@ shell_back_delete(
 )
 {
 	struct shellinfo	*si = (struct shellinfo *) be->be_private;
+	AttributeDescription *entry = slap_schema.si_ad_entry;
+	Entry e;
 	FILE			*rfp, *wfp;
 
 	if ( IS_NULLCMD( si->si_delete ) ) {
@@ -33,6 +35,23 @@ shell_back_delete(
 		return( -1 );
 	}
 
+	e.e_id = NOID;
+	e.e_name = *dn;
+	e.e_nname = *ndn;
+	e.e_attrs = NULL;
+	e.e_ocflags = 0;
+	e.e_bv.bv_len = 0;
+	e.e_bv.bv_val = NULL;
+	e.e_private = NULL;
+
+	if ( ! access_allowed( be, conn, op, &e,
+		entry, NULL, ACL_WRITE, NULL ) )
+	{
+		send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
+			NULL, NULL, NULL, NULL );
+		return -1;
+	}
+
 	if ( (op->o_private = (void *) forkandexec( si->si_delete, &rfp, &wfp ))
 	    == (void *) -1 ) {
 		send_ldap_result( conn, op, LDAP_OTHER, NULL,
diff --git a/servers/slapd/back-shell/modrdn.c b/servers/slapd/back-shell/modrdn.c
index 2e92d8731c..bfe86a9510 100644
--- a/servers/slapd/back-shell/modrdn.c
+++ b/servers/slapd/back-shell/modrdn.c
@@ -43,6 +43,8 @@ shell_back_modrdn(
 )
 {
 	struct shellinfo	*si = (struct shellinfo *) be->be_private;
+	AttributeDescription *entry = slap_schema.si_ad_entry;
+	Entry e;
 	FILE			*rfp, *wfp;
 
 	if ( IS_NULLCMD( si->si_modrdn ) ) {
@@ -51,6 +53,23 @@ shell_back_modrdn(
 		return( -1 );
 	}
 
+	e.e_id = NOID;
+	e.e_name = *dn;
+	e.e_nname = *ndn;
+	e.e_attrs = NULL;
+	e.e_ocflags = 0;
+	e.e_bv.bv_len = 0;
+	e.e_bv.bv_val = NULL;
+	e.e_private = NULL;
+
+	if ( ! access_allowed( be, conn, op, &e,
+		entry, NULL, ACL_WRITE, NULL ) )
+	{
+		send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
+			NULL, NULL, NULL, NULL );
+		return -1;
+	}
+
 	if ( (op->o_private = (void *) forkandexec( si->si_modrdn, &rfp, &wfp ))
 	    == (void *) -1 ) {
 		send_ldap_result( conn, op, LDAP_OTHER, NULL,
-- 
2.39.5