From d03f5dc58da48f7b2e0462af63468cfc9e1b6292 Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Sat, 12 Dec 2009 00:12:24 +0000 Subject: [PATCH] New access_allowed() --- servers/slapd/back-shell/add.c | 5 ++--- servers/slapd/back-shell/bind.c | 5 ++--- servers/slapd/back-shell/compare.c | 5 ++--- servers/slapd/back-shell/delete.c | 5 ++--- servers/slapd/back-shell/modify.c | 5 ++--- servers/slapd/back-shell/modrdn.c | 8 ++++---- servers/slapd/back-sock/add.c | 5 ++--- servers/slapd/back-sock/bind.c | 5 ++--- servers/slapd/back-sock/compare.c | 5 ++--- servers/slapd/back-sock/delete.c | 5 ++--- servers/slapd/back-sock/modify.c | 5 ++--- servers/slapd/back-sock/modrdn.c | 7 +++---- 12 files changed, 27 insertions(+), 38 deletions(-) diff --git a/servers/slapd/back-shell/add.c b/servers/slapd/back-shell/add.c index b5e1c5c333..e4b5a59a7b 100644 --- a/servers/slapd/back-shell/add.c +++ b/servers/slapd/back-shell/add.c @@ -44,9 +44,9 @@ shell_back_add( SlapReply *rs ) { struct shellinfo *si = (struct shellinfo *) op->o_bd->be_private; - AttributeDescription *entry = slap_schema.si_ad_entry; FILE *rfp, *wfp; int len; + AclCheck ak = { op->ora_e, slap_schema.si_ad_entry, NULL, ACL_WADD, NULL }; if ( si->si_add == NULL ) { send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, @@ -54,8 +54,7 @@ shell_back_add( return( -1 ); } - if ( ! access_allowed( op, op->oq_add.rs_e, - entry, NULL, ACL_WADD, NULL ) ) + if ( ! access_allowed( op, &ak )) { send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL ); return -1; diff --git a/servers/slapd/back-shell/bind.c b/servers/slapd/back-shell/bind.c index cc5ce2d946..72f75f2768 100644 --- a/servers/slapd/back-shell/bind.c +++ b/servers/slapd/back-shell/bind.c @@ -44,10 +44,10 @@ shell_back_bind( SlapReply *rs ) { struct shellinfo *si = (struct shellinfo *) op->o_bd->be_private; - AttributeDescription *entry = slap_schema.si_ad_entry; Entry e; FILE *rfp, *wfp; int rc; + AclCheck ak = { &e, slap_schema.si_ad_entry, NULL, ACL_AUTH, NULL }; /* allow rootdn as a means to auth without the need to actually * contact the proxied DSA */ @@ -74,8 +74,7 @@ shell_back_bind( e.e_bv.bv_val = NULL; e.e_private = NULL; - if ( ! access_allowed( op, &e, - entry, NULL, ACL_AUTH, NULL ) ) + if ( ! access_allowed( op, &ak )) { send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL ); return -1; diff --git a/servers/slapd/back-shell/compare.c b/servers/slapd/back-shell/compare.c index 7c1460223d..382bc252c9 100644 --- a/servers/slapd/back-shell/compare.c +++ b/servers/slapd/back-shell/compare.c @@ -44,9 +44,9 @@ shell_back_compare( SlapReply *rs ) { struct shellinfo *si = (struct shellinfo *) op->o_bd->be_private; - AttributeDescription *entry = slap_schema.si_ad_entry; Entry e; FILE *rfp, *wfp; + AclCheck ak = { &e, slap_schema.si_ad_entry, NULL, ACL_COMPARE, NULL }; if ( si->si_compare == NULL ) { send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, @@ -63,8 +63,7 @@ shell_back_compare( e.e_bv.bv_val = NULL; e.e_private = NULL; - if ( ! access_allowed( op, &e, - entry, NULL, ACL_READ, NULL ) ) + if ( ! access_allowed( op, &ak )) { send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL ); return -1; diff --git a/servers/slapd/back-shell/delete.c b/servers/slapd/back-shell/delete.c index 35e0c8b418..ecbb15ef80 100644 --- a/servers/slapd/back-shell/delete.c +++ b/servers/slapd/back-shell/delete.c @@ -44,9 +44,9 @@ shell_back_delete( SlapReply *rs ) { struct shellinfo *si = (struct shellinfo *) op->o_bd->be_private; - AttributeDescription *entry = slap_schema.si_ad_entry; Entry e; FILE *rfp, *wfp; + AclCheck ak = { &e, slap_schema.si_ad_entry, NULL, ACL_WDEL, NULL }; if ( si->si_delete == NULL ) { send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, @@ -63,8 +63,7 @@ shell_back_delete( e.e_bv.bv_val = NULL; e.e_private = NULL; - if ( ! access_allowed( op, &e, - entry, NULL, ACL_WDEL, NULL ) ) + if ( ! access_allowed( op, &ak )) { send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL ); return -1; diff --git a/servers/slapd/back-shell/modify.c b/servers/slapd/back-shell/modify.c index 1f0d1208bf..70ccd49aa9 100644 --- a/servers/slapd/back-shell/modify.c +++ b/servers/slapd/back-shell/modify.c @@ -45,11 +45,11 @@ shell_back_modify( { Modification *mod; struct shellinfo *si = (struct shellinfo *) op->o_bd->be_private; - AttributeDescription *entry = slap_schema.si_ad_entry; Modifications *ml = op->orm_modlist; Entry e; FILE *rfp, *wfp; int i; + AclCheck ak = { &e, slap_schema.si_ad_entry, NULL, ACL_WRITE, NULL }; if ( si->si_modify == NULL ) { send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, @@ -66,8 +66,7 @@ shell_back_modify( e.e_bv.bv_val = NULL; e.e_private = NULL; - if ( ! access_allowed( op, &e, - entry, NULL, ACL_WRITE, NULL ) ) + if ( ! access_allowed( op, &ak )) { send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL ); return -1; diff --git a/servers/slapd/back-shell/modrdn.c b/servers/slapd/back-shell/modrdn.c index 93bcc59b90..bde9e522c0 100644 --- a/servers/slapd/back-shell/modrdn.c +++ b/servers/slapd/back-shell/modrdn.c @@ -44,9 +44,9 @@ shell_back_modrdn( SlapReply *rs ) { struct shellinfo *si = (struct shellinfo *) op->o_bd->be_private; - AttributeDescription *entry = slap_schema.si_ad_entry; Entry e; FILE *rfp, *wfp; + AclCheck ak = { &e, slap_schema.si_ad_entry, NULL, ACL_WRITE, NULL }; if ( si->si_modrdn == NULL ) { send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, @@ -63,9 +63,9 @@ shell_back_modrdn( e.e_bv.bv_val = NULL; e.e_private = NULL; - if ( ! access_allowed( op, &e, entry, NULL, - op->oq_modrdn.rs_newSup ? ACL_WDEL : ACL_WRITE, - NULL ) ) + + if ( op->oq_modrdn.rs_newSup ) ak.ak_access = ACL_WDEL; + if ( ! access_allowed( op, &ak )) { send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL ); return -1; diff --git a/servers/slapd/back-sock/add.c b/servers/slapd/back-sock/add.c index 8bf01333ef..b77290b5cd 100644 --- a/servers/slapd/back-sock/add.c +++ b/servers/slapd/back-sock/add.c @@ -34,12 +34,11 @@ sock_back_add( SlapReply *rs ) { struct sockinfo *si = (struct sockinfo *) op->o_bd->be_private; - AttributeDescription *entry = slap_schema.si_ad_entry; FILE *fp; int len; + AclCheck ak = { op->ora_e, slap_schema.si_ad_entry, NULL, ACL_WADD, NULL }; - if ( ! access_allowed( op, op->oq_add.rs_e, - entry, NULL, ACL_WADD, NULL ) ) + if ( ! access_allowed( op, &ak )) { send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL ); return -1; diff --git a/servers/slapd/back-sock/bind.c b/servers/slapd/back-sock/bind.c index 5737c28493..a7561b63c4 100644 --- a/servers/slapd/back-sock/bind.c +++ b/servers/slapd/back-sock/bind.c @@ -34,10 +34,10 @@ sock_back_bind( SlapReply *rs ) { struct sockinfo *si = (struct sockinfo *) op->o_bd->be_private; - AttributeDescription *entry = slap_schema.si_ad_entry; Entry e; FILE *fp; int rc; + AclCheck ak = { &e, slap_schema.si_ad_entry, NULL, ACL_AUTH, NULL }; e.e_id = NOID; e.e_name = op->o_req_dn; @@ -48,8 +48,7 @@ sock_back_bind( e.e_bv.bv_val = NULL; e.e_private = NULL; - if ( ! access_allowed( op, &e, - entry, NULL, ACL_AUTH, NULL ) ) + if ( ! access_allowed( op, &ak )) { send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL ); return -1; diff --git a/servers/slapd/back-sock/compare.c b/servers/slapd/back-sock/compare.c index 3712b665ef..ec4b82be43 100644 --- a/servers/slapd/back-sock/compare.c +++ b/servers/slapd/back-sock/compare.c @@ -34,9 +34,9 @@ sock_back_compare( SlapReply *rs ) { struct sockinfo *si = (struct sockinfo *) op->o_bd->be_private; - AttributeDescription *entry = slap_schema.si_ad_entry; Entry e; FILE *fp; + AclCheck ak = { &e, slap_schema.si_ad_entry, NULL, ACL_COMPARE, NULL }; e.e_id = NOID; e.e_name = op->o_req_dn; @@ -47,8 +47,7 @@ sock_back_compare( e.e_bv.bv_val = NULL; e.e_private = NULL; - if ( ! access_allowed( op, &e, - entry, NULL, ACL_COMPARE, NULL ) ) + if ( ! access_allowed( op, &ak )) { send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL ); return -1; diff --git a/servers/slapd/back-sock/delete.c b/servers/slapd/back-sock/delete.c index daa85cc653..d55130715e 100644 --- a/servers/slapd/back-sock/delete.c +++ b/servers/slapd/back-sock/delete.c @@ -34,9 +34,9 @@ sock_back_delete( SlapReply *rs ) { struct sockinfo *si = (struct sockinfo *) op->o_bd->be_private; - AttributeDescription *entry = slap_schema.si_ad_entry; Entry e; FILE *fp; + AclCheck ak = { &e, slap_schema.si_ad_entry, NULL, ACL_WDEL, NULL }; e.e_id = NOID; e.e_name = op->o_req_dn; @@ -47,8 +47,7 @@ sock_back_delete( e.e_bv.bv_val = NULL; e.e_private = NULL; - if ( ! access_allowed( op, &e, - entry, NULL, ACL_WDEL, NULL ) ) + if ( ! access_allowed( op, &ak )) { send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL ); return -1; diff --git a/servers/slapd/back-sock/modify.c b/servers/slapd/back-sock/modify.c index b332fb4d7f..d1f986d477 100644 --- a/servers/slapd/back-sock/modify.c +++ b/servers/slapd/back-sock/modify.c @@ -35,11 +35,11 @@ sock_back_modify( { Modification *mod; struct sockinfo *si = (struct sockinfo *) op->o_bd->be_private; - AttributeDescription *entry = slap_schema.si_ad_entry; Modifications *ml = op->orm_modlist; Entry e; FILE *fp; int i; + AclCheck ak = { &e, slap_schema.si_ad_entry, NULL, ACL_WRITE, NULL }; e.e_id = NOID; e.e_name = op->o_req_dn; @@ -50,8 +50,7 @@ sock_back_modify( e.e_bv.bv_val = NULL; e.e_private = NULL; - if ( ! access_allowed( op, &e, - entry, NULL, ACL_WRITE, NULL ) ) + if ( ! access_allowed( op, &ak )) { send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL ); return -1; diff --git a/servers/slapd/back-sock/modrdn.c b/servers/slapd/back-sock/modrdn.c index 881f3a8bc2..5efa95e332 100644 --- a/servers/slapd/back-sock/modrdn.c +++ b/servers/slapd/back-sock/modrdn.c @@ -34,9 +34,9 @@ sock_back_modrdn( SlapReply *rs ) { struct sockinfo *si = (struct sockinfo *) op->o_bd->be_private; - AttributeDescription *entry = slap_schema.si_ad_entry; Entry e; FILE *fp; + AclCheck ak = { &e, slap_schema.si_ad_entry, NULL, ACL_WRITE, NULL }; e.e_id = NOID; e.e_name = op->o_req_dn; @@ -47,9 +47,8 @@ sock_back_modrdn( e.e_bv.bv_val = NULL; e.e_private = NULL; - if ( ! access_allowed( op, &e, entry, NULL, - op->oq_modrdn.rs_newSup ? ACL_WDEL : ACL_WRITE, - NULL ) ) + if ( op->oq_modrdn.rs_newSup ) ak.ak_access = ACL_WDEL; + if ( ! access_allowed( op, &ak )) { send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL ); return -1; -- 2.39.2