]> git.sur5r.net Git - openldap/commitdiff
projects / openldap / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 04da7a8)
disallow selfwriters from deleting all values with replace
authorKurt Zeilenga <kurt@openldap.org>
Tue, 15 Jan 2002 16:28:13 +0000 (16:28 +0000)
committerKurt Zeilenga <kurt@openldap.org>
Tue, 15 Jan 2002 16:28:13 +0000 (16:28 +0000)
servers/slapd/acl.c patch | blob | history

diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index c813eda544c705a7a245983127f9febb49fa1738..56ff6c172ddce75a87fa3f7f6959a8a3ac086998 100644 (file)
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -899,16 +899,20 @@ acl_check_modlist(
 
                switch ( mlist->sml_op ) {
                case LDAP_MOD_REPLACE:
-                       if ( mlist->sml_bvalues == NULL ) {
-                               if ( ! access_allowed( be, conn, op, e,
-                                       mlist->sml_desc, NULL, ACL_WRITE ) )
-                               {
-                                       return( 0 );
-                               }
-                               break;
+                       /*
+                        * We must check both permission to delete the whole
+                        * attribute and permission to add the specific attributes.
+                        * This prevents abuse from selfwriters.
+                        */
+                       if ( ! access_allowed( be, conn, op, e,
+                               mlist->sml_desc, NULL, ACL_WRITE ) )
+                       {
+                               return( 0 );
                        }
 
-                       /* fall thru */
+                       if ( mlist->sml_bvalues == NULL ) break;
+
+                       /* fall thru to check value to add */
 
                case LDAP_MOD_ADD:
                        assert( mlist->sml_bvalues != NULL );
Cloned from git://git.openldap.org/openldap.git