ITS#7347 Allow subtractive -a/z/i to work as expected

author Ondřej Kuzník <ondra@mistotebe.net>

Wed, 10 Dec 2025 12:07:18 +0000 (12:07 +0000)

committer Quanah Gibson-Mount <quanah@openldap.org>

Thu, 11 Dec 2025 20:42:19 +0000 (20:42 +0000)
author Ondřej Kuzník <ondra@mistotebe.net>
Wed, 10 Dec 2025 12:07:18 +0000 (12:07 +0000)
committer Quanah Gibson-Mount <quanah@openldap.org>
Thu, 11 Dec 2025 20:42:19 +0000 (20:42 +0000)
diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c

index 6e841a75480d8533a4520003eac41bcef360b41d..780bb21790c182a1d1b21e4f237d857d0c36211f 100644 (file)
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -1860,6 +1860,11 @@ slap_acl_mask(
                         ACL_PRIV_CLR( *mask, modmask );
  
                         /* cleanup */
+                       if ( (modmask & ACL_PRIV_WRITE) && (*mask & ACL_PRIV_WRITE) ) {
+                               /* ITS#7347 Allow subtractive -a/z/i to keep the other counterpart (so
+                                * that "=w" then "-a" -> "zi" etc.) */
+                               ACL_PRIV_SET( *mask, ACL_ACCESS2PRIV(ACL_WRITE_) );
+                       }
                         ACL_PRIV_CLR( *mask, ~ACL_PRIV_MASK );
  
                 } else {
author	Ondřej Kuzník <ondra@mistotebe.net>
	Wed, 10 Dec 2025 12:07:18 +0000 (12:07 +0000)
committer	Quanah Gibson-Mount <quanah@openldap.org>
	Thu, 11 Dec 2025 20:42:19 +0000 (20:42 +0000)