From e1d1d3240208531466ae8ac1aca240b474499f73 Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp Date: Tue, 27 Jun 2006 15:26:08 +0000 Subject: [PATCH] Do "selfwrite" check independent of other clauses (ITS#4587) --- servers/slapd/acl.c | 68 ++++++++++++++++++++++----------------------- 1 file changed, 33 insertions(+), 35 deletions(-) diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index 68f10d2f1d..886bc745fc 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -689,12 +689,8 @@ acl_mask_dn( AttributeDescription *desc, struct berval *val, AccessControl *a, - Access *b, - int i, int nmatch, regmatch_t *matches, - int count, - AccessControlState *state, slap_dn_access *bdn, struct berval *opndn ) { @@ -709,33 +705,6 @@ acl_mask_dn( * value is set in a_dn_style; however, the string * is maintaned in a_dn_pat. */ - if ( bdn->a_self ) { - const char *dummy; - int rc, match = 0; - - ACL_RECORD_VALUE_STATE; - - /* must have DN syntax */ - if ( desc->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName ) return 1; - - /* check if the target is an attribute. */ - if ( val == NULL ) return 1; - - /* a DN must be present */ - if ( BER_BVISEMPTY( opndn ) ) { - return 1; - } - - /* target is attribute, check if the attribute value - * is the op dn. - */ - rc = value_match( &match, desc, - desc->ad_type->sat_equality, 0, - val, opndn, &dummy ); - /* on match error or no match, fail the ACL clause */ - if ( rc != LDAP_SUCCESS || match != 0 ) - return 1; - } if ( bdn->a_style == ACL_STYLE_ANONYMOUS ) { if ( !BER_BVISEMPTY( opndn ) ) { @@ -1165,8 +1134,8 @@ slap_acl_mask( * is maintaned in a_dn_pat. */ - if ( acl_mask_dn( op, e, desc, val, a, b, i, nmatch, matches, - count, state, &b->a_dn, &op->o_ndn ) ) + if ( acl_mask_dn( op, e, desc, val, a, nmatch, matches, + &b->a_dn, &op->o_ndn ) ) { continue; } @@ -1196,8 +1165,8 @@ slap_acl_mask( ndn = op->o_ndn; } - if ( acl_mask_dn( op, e, desc, val, a, b, i, nmatch, matches, - count, state, &b->a_realdn, &ndn ) ) + if ( acl_mask_dn( op, e, desc, val, a, nmatch, matches, + &b->a_realdn, &ndn ) ) { continue; } @@ -1672,6 +1641,35 @@ slap_acl_mask( } } + /* check for the "self" modifier in the field */ + if ( b->a_dn.a_self ) { + const char *dummy; + int rc, match = 0; + + ACL_RECORD_VALUE_STATE; + + /* must have DN syntax */ + if ( desc->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName ) continue; + + /* check if the target is an attribute. */ + if ( val == NULL ) continue; + + /* a DN must be present */ + if ( BER_BVISEMPTY( &op->o_ndn ) ) { + continue; + } + + /* target is attribute, check if the attribute value + * is the op dn. + */ + rc = value_match( &match, desc, + desc->ad_type->sat_equality, 0, + val, &op->o_ndn, &dummy ); + /* on match error or no match, fail the ACL clause */ + if ( rc != LDAP_SUCCESS || match != 0 ) + continue; + } + #ifdef SLAP_DYNACL if ( b->a_dynacl ) { slap_dynacl_t *da; -- 2.39.5