From f6e4f20254e3b39068a55608b3729eee2c72d74d Mon Sep 17 00:00:00 2001 From: Pierangelo Masarati Date: Tue, 13 Jun 2006 08:53:34 +0000 Subject: [PATCH] test for ITS#4587; another bit of fix for that --- servers/slapd/acl.c | 5 +++++ tests/data/acl.out.master | 1 - tests/data/slapd-acl.conf | 1 + tests/scripts/test006-acls | 41 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 47 insertions(+), 1 deletion(-) diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index 0f62341788..c960cc9019 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -700,6 +700,11 @@ acl_mask_dn( /* check if the target is an attribute. */ if ( val == NULL ) return 1; + /* a DN must be present */ + if ( BER_BVISEMPTY( opndn ) ) { + return 1; + } + /* target is attribute, check if the attribute value * is the op dn. */ diff --git a/tests/data/acl.out.master b/tests/data/acl.out.master index 1d4423e1d4..74c7c937c8 100644 --- a/tests/data/acl.out.master +++ b/tests/data/acl.out.master @@ -68,7 +68,6 @@ member: cn=Jane Doe,ou=Alumni Association,ou=People,dc=example,dc=com member: cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc =com member: cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com -member: cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com member: cn=James A Jones 2,ou=Information Technology Division,ou=People,dc=exa mple,dc=com member: cn=Jennifer Smith,ou=Alumni Association,ou=People,dc=example,dc=com diff --git a/tests/data/slapd-acl.conf b/tests/data/slapd-acl.conf index 531a1b730e..a168e5cd5e 100644 --- a/tests/data/slapd-acl.conf +++ b/tests/data/slapd-acl.conf @@ -110,6 +110,7 @@ access to dn.children="ou=Alumni Association,ou=People,dc=example,dc=com" #access to attrs=member,uniquemember dn.subtree="dc=example,dc=com" access to attrs=member,uniquemember + by dn.exact="cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com" selfwrite by dnattr=member selfwrite by dnattr=uniquemember selfwrite by * read diff --git a/tests/scripts/test006-acls b/tests/scripts/test006-acls index 6f131be124..9add9f277e 100755 --- a/tests/scripts/test006-acls +++ b/tests/scripts/test006-acls @@ -103,6 +103,47 @@ $LDAPSEARCH -h $LOCALHOST -p $PORT1 \ -D "$BJORNSDN" -w bjorn \ -b "$BABSDN" -s base "(objectclass=*)" cn >> $SEARCHOUT 2>&1 +# check selfwrite access (ITS#4587). Two attempts are made: +# 1) delete someone else (should fail) +# 2) delete self (should succeed) +# +$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \ + $TESTOUT 2>&1 << EOMODS +dn: cn=All Staff,ou=Groups,dc=example,dc=com +changetype: modify +delete: member +member: $BABSDN +EOMODS +RC=$? +case $RC in +50) + ;; +0) + echo "ldapmodify should have failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit -1 + ;; +*) + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + ;; +esac + +$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \ + $TESTOUT 2>&1 << EOMODS +dn: cn=All Staff,ou=Groups,dc=example,dc=com +changetype: modify +delete: member +member: $JAJDN +EOMODS +RC=$? +if test $RC != 0 ; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + # # Check group access. Try to modify Babs' entry. Two attempts: # 1) bound as "James A Jones 1" - should fail -- 2.39.5