From 68081c5a24b69f140ef3ed0ccb2b02b33aa01df3 Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Thu, 27 Jan 2011 00:50:26 +0000 Subject: [PATCH] ITS#6804 fix ACL_RECORD_VALUE_STATE macro, was skipping past the ACL instead of resuming from the intended one --- servers/slapd/acl.c | 77 +++++++++++++++++++++++---------------------- 1 file changed, 40 insertions(+), 37 deletions(-) diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index 1617b5382d..ef85ad2614 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -57,7 +57,9 @@ static AccessControl * slap_acl_get( AccessControlState *state ); static slap_control_t slap_acl_mask( - AccessControl *ac, slap_mask_t *mask, + AccessControl *ac, + AccessControl *prev, + slap_mask_t *mask, Operation *op, Entry *e, AttributeDescription *desc, struct berval *val, @@ -141,7 +143,7 @@ slap_access_allowed( { int ret = 1; int count; - AccessControl *a = NULL; + AccessControl *a, *prev; #ifdef LDAP_DEBUG char accessmaskbuf[ACCESSMASK_MAXLEN]; @@ -236,6 +238,7 @@ slap_access_allowed( } MATCHES_MEMSET( &matches ); + prev = a; while ( ( a = slap_acl_get( a, &count, op, e, desc, val, &matches, &mask, state ) ) != NULL ) @@ -282,7 +285,7 @@ slap_access_allowed( Debug( LDAP_DEBUG_ACL, "\n", 0, 0, 0 ); } - control = slap_acl_mask( a, &mask, op, + control = slap_acl_mask( a, prev, &mask, op, e, desc, val, &matches, count, state, access ); if ( control != ACL_BREAK ) { @@ -290,6 +293,7 @@ slap_access_allowed( } MATCHES_MEMSET( &matches ); + prev = a; } if ( ACL_IS_INVALID( mask ) ) { @@ -717,8 +721,8 @@ slap_acl_get( #define ACL_RECORD_VALUE_STATE do { \ if( state && !state->as_vd_acl_present ) { \ state->as_vd_acl_present = 1; \ - state->as_vd_acl = a; \ - state->as_vd_acl_count = count; \ + state->as_vd_acl = prev; \ + state->as_vd_acl_count = count - 1; \ ACL_PRIV_ASSIGN( state->as_vd_mask, *mask ); \ } \ } while( 0 ) @@ -1072,8 +1076,6 @@ acl_mask_dnattr( if ( ! bdn->a_self ) return 1; - ACL_RECORD_VALUE_STATE; - /* this is a self clause, check if the target is an * attribute. */ @@ -1108,6 +1110,7 @@ acl_mask_dnattr( static slap_control_t slap_acl_mask( AccessControl *a, + AccessControl *prev, slap_mask_t *mask, Operation *op, Entry *e, @@ -1155,6 +1158,36 @@ slap_acl_mask( ACL_INVALIDATE( modmask ); + /* check for the "self" modifier in the field */ + if ( b->a_dn.a_self ) { + const char *dummy; + int rc, match = 0; + + ACL_RECORD_VALUE_STATE; + + /* must have DN syntax */ + if ( desc->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName && + !is_at_syntax( desc->ad_type, SLAPD_NAMEUID_SYNTAX )) continue; + + /* check if the target is an attribute. */ + if ( val == NULL ) continue; + + /* a DN must be present */ + if ( BER_BVISEMPTY( &op->o_ndn ) ) { + continue; + } + + /* target is attribute, check if the attribute value + * is the op dn. + */ + rc = value_match( &match, desc, + desc->ad_type->sat_equality, 0, + val, &op->o_ndn, &dummy ); + /* on match error or no match, fail the ACL clause */ + if ( rc != LDAP_SUCCESS || match != 0 ) + continue; + } + /* AND clauses */ if ( !BER_BVISEMPTY( &b->a_dn_pat ) ) { Debug( LDAP_DEBUG_ACL, "<= check a_dn_pat: %s\n", @@ -1726,36 +1759,6 @@ slap_acl_mask( } } - /* check for the "self" modifier in the field */ - if ( b->a_dn.a_self ) { - const char *dummy; - int rc, match = 0; - - ACL_RECORD_VALUE_STATE; - - /* must have DN syntax */ - if ( desc->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName && - !is_at_syntax( desc->ad_type, SLAPD_NAMEUID_SYNTAX )) continue; - - /* check if the target is an attribute. */ - if ( val == NULL ) continue; - - /* a DN must be present */ - if ( BER_BVISEMPTY( &op->o_ndn ) ) { - continue; - } - - /* target is attribute, check if the attribute value - * is the op dn. - */ - rc = value_match( &match, desc, - desc->ad_type->sat_equality, 0, - val, &op->o_ndn, &dummy ); - /* on match error or no match, fail the ACL clause */ - if ( rc != LDAP_SUCCESS || match != 0 ) - continue; - } - #ifdef SLAP_DYNACL if ( b->a_dynacl ) { slap_dynacl_t *da; -- 2.47.3