s4:dsdb:acl_read: introduce aclread_check_object_visible() helper

In future this will do more than aclread_check_parent(),
if we implement fDoListObject and SEC_ADS_LIST_OBJECT handling.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit d2dd7c2a5c1f8ee30f0f3b41f933d082b0c75f7c)

diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c
index 1e016b970ee458930c83b219ebf1ffccdd2669e5..9d088698e8c39a352157b35a849906eefd6e9e52 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
@@ -152,6 +152,25 @@ static int aclread_check_parent(struct aclread_context *ac,
        return ret;
 }
 
+static int aclread_check_object_visible(struct aclread_context *ac,
+                                       struct ldb_message *msg,
+                                       struct ldb_request *req)
+{
+       uint32_t instanceType;
+
+       /* get the object instance type */
+       instanceType = ldb_msg_find_attr_as_uint(msg,
+                                                "instanceType", 0);
+       if (instanceType & INSTANCE_TYPE_IS_NC_HEAD) {
+               /*
+                * NC_HEAD objects are always visible
+                */
+               return LDB_SUCCESS;
+       }
+
+       return aclread_check_parent(ac, msg, req);
+}
+
 /*
  * The sd returned from this function is valid until the next call on
  * this module context
@@ -464,7 +483,6 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
        struct security_descriptor *sd = NULL;
        struct dom_sid *sid = NULL;
        TALLOC_CTX *tmp_ctx;
-       uint32_t instanceType;
        const struct dsdb_class *objectclass;
        bool suppress_result = false;
 
@@ -507,14 +525,12 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
                }
 
                sid = samdb_result_dom_sid(tmp_ctx, msg, "objectSid");
-               /* get the object instance type */
-               instanceType = ldb_msg_find_attr_as_uint(msg,
-                                                        "instanceType", 0);
-               if (!ldb_dn_is_null(msg->dn) && !(instanceType & INSTANCE_TYPE_IS_NC_HEAD))
-               {
-                       /* the object has a parent, so we have to check for visibility */
-                       ret = aclread_check_parent(ac, msg, req);
-                       
+               if (!ldb_dn_is_null(msg->dn)) {
+                       /*
+                        * this is a real object, so we have
+                        * to check for visibility
+                        */
+                       ret = aclread_check_object_visible(ac, msg, req);
                        if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
                                talloc_free(tmp_ctx);
                                return LDB_SUCCESS;