LDAPControl **postread_ctrl = NULL;
LDAPControl *ctrls[SLAP_MAX_RESPONSE_CONTROLS];
int num_ctrls = 0;
+ AclCheck ak;
#ifdef LDAP_X_TXN
int settle = 0;
goto return_results;
}
- rs->sr_err = access_allowed( op, p,
- children, NULL, ACL_WADD, NULL );
+ ak.ak_e = p;
+ ak.ak_desc = children;
+ ak.ak_val = NULL;
+ ak.ak_access = ACL_WADD;
+ ak.ak_state = NULL;
+ rs->sr_err = access_allowed( op, &ak );
if ( ! rs->sr_err ) {
switch( opinfo.boi_err ) {
}
p = NULL;
- rs->sr_err = access_allowed( op, op->ora_e,
- entry, NULL, ACL_WADD, NULL );
+ ak.ak_e = op->ora_e;
+ ak.ak_desc = entry;
+ rs->sr_err = access_allowed( op, &ak );
if ( ! rs->sr_err ) {
switch( opinfo.boi_err ) {
DB_TXN *rtxn;
DB_LOCK lock;
+ AclCheck ak;
+
rs->sr_err = bdb_reader_get(op, bdb->bi_dbenv, &rtxn);
switch(rs->sr_err) {
case 0:
}
e = ei->bei_e;
+ ak.ak_e = e;
+ ak.ak_desc = slap_schema.si_ad_entry;
+ ak.ak_val = NULL;
+ ak.ak_access = ACL_DISCLOSE;
+ ak.ak_state = NULL;
+
if ( rs->sr_err == DB_NOTFOUND ) {
if ( e != NULL ) {
/* return referral only if "disclose" is granted on the object */
- if ( ! access_allowed( op, e, slap_schema.si_ad_entry,
- NULL, ACL_DISCLOSE, NULL ) )
+ if ( ! access_allowed( op, &ak ))
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
if (!manageDSAit && is_entry_referral( e ) ) {
/* return referral only if "disclose" is granted on the object */
- if ( !access_allowed( op, e, slap_schema.si_ad_entry,
- NULL, ACL_DISCLOSE, NULL ) )
+ if ( !access_allowed( op, &ak ))
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else {
if ( get_assert( op ) &&
( test_filter( op, e, get_assertion( op )) != LDAP_COMPARE_TRUE ))
{
- if ( !access_allowed( op, e, slap_schema.si_ad_entry,
- NULL, ACL_DISCLOSE, NULL ) )
+ if ( !access_allowed( op, &ak ))
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else {
goto return_results;
}
- if ( !access_allowed( op, e, op->oq_compare.rs_ava->aa_desc,
- &op->oq_compare.rs_ava->aa_value, ACL_COMPARE, NULL ) )
+ ak.ak_desc = op->oq_compare.rs_ava->aa_desc;
+ ak.ak_val = &op->oq_compare.rs_ava->aa_value;
+ ak.ak_access = ACL_COMPARE;
+ if ( !access_allowed( op, &ak ))
{
/* return error only if "disclose"
* is granted on the object */
- if ( !access_allowed( op, e, slap_schema.si_ad_entry,
- NULL, ACL_DISCLOSE, NULL ) )
+ ak.ak_desc = slap_schema.si_ad_entry;
+ ak.ak_val = NULL;
+ ak.ak_access = ACL_DISCLOSE;
+ if ( !access_allowed( op, &ak ))
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else {
int settle = 0;
#endif
+ AclCheck ak;
+
Debug( LDAP_DEBUG_ARGS, "==> " LDAP_XSTRING(bdb_delete) ": %s\n",
op->o_req_dn.bv_val, 0, 0 );
}
if ( eip ) p = eip->bei_e;
+ ak.ak_desc = children;
+ ak.ak_val = NULL;
+ ak.ak_access = ACL_WDEL;
+ ak.ak_state = NULL;
if ( pdn.bv_len != 0 ) {
if( p == NULL || !bvmatch( &pdn, &p->e_nname )) {
Debug( LDAP_DEBUG_TRACE,
}
/* check parent for "children" acl */
- rs->sr_err = access_allowed( op, p,
- children, NULL, ACL_WDEL, NULL );
+ ak.ak_e = p;
+ rs->sr_err = access_allowed( op, &ak );
if ( !rs->sr_err ) {
switch( opinfo.boi_err ) {
p = (Entry *)&slap_entry_root;
/* check parent for "children" acl */
- rs->sr_err = access_allowed( op, p,
- children, NULL, ACL_WDEL, NULL );
+ ak.ak_e = p;
+ rs->sr_err = access_allowed( op, &ak );
p = NULL;
goto return_results;
}
- rs->sr_err = access_allowed( op, e,
- entry, NULL, ACL_WDEL, NULL );
+ ak.ak_e = e;
+ ak.ak_desc = entry;
+ rs->sr_err = access_allowed( op, &ak );
if ( !rs->sr_err ) {
switch( opinfo.boi_err ) {
int settle = 0;
#endif
+ AclCheck ak;
+
Debug( LDAP_DEBUG_TRACE, "==>" LDAP_XSTRING(bdb_modrdn) "(%s,%s,%s)\n",
op->o_req_dn.bv_val,op->oq_modrdn.rs_newrdn.bv_val,
op->oq_modrdn.rs_newSup ? op->oq_modrdn.rs_newSup->bv_val : "NULL" );
}
/* check write on old entry */
- rs->sr_err = access_allowed( op, e, entry, NULL, ACL_WRITE, NULL );
+ ak.ak_e = e;
+ ak.ak_desc = entry;
+ ak.ak_val = NULL;
+ ak.ak_access = ACL_WRITE;
+ ak.ak_state = NULL;
+ rs->sr_err = access_allowed( op, &ak );
if ( ! rs->sr_err ) {
switch( opinfo.boi_err ) {
case DB_LOCK_DEADLOCK:
}
/* check parent for "children" acl */
- rs->sr_err = access_allowed( op, p,
- children, NULL,
- op->oq_modrdn.rs_newSup == NULL ?
- ACL_WRITE : ACL_WDEL,
- NULL );
+ ak.ak_e = p;
+ ak.ak_desc = children;
+ ak.ak_access = op->oq_modrdn.rs_newSup == NULL ? ACL_WRITE : ACL_WDEL;
+ rs->sr_err = access_allowed( op, &ak );
if ( !p_ndn.bv_len )
p = NULL;
(void *) np, (long) np->e_id, 0 );
/* check newSuperior for "children" acl */
- rs->sr_err = access_allowed( op, np, children,
- NULL, ACL_WADD, NULL );
+ ak.ak_e = np;
+ ak.ak_access = ACL_WADD;
+ rs->sr_err = access_allowed( op, &ak );
if( ! rs->sr_err ) {
switch( opinfo.boi_err ) {
np = (Entry *)&slap_entry_root;
/* check parent for "children" acl */
- rs->sr_err = access_allowed( op, np,
- children, NULL, ACL_WADD, NULL );
+ ak.ak_e = np;
+ ak.ak_access = ACL_WADD;
+ rs->sr_err = access_allowed( op, &ak );
np = NULL;
EntryInfo *ei;
AttributeName *attrs;
struct berval realbase = BER_BVNULL;
- slap_mask_t mask;
time_t stoptime;
int manageDSAit;
int tentries = 0;
struct bdb_op_info *opinfo = NULL;
DB_TXN *ltid = NULL;
OpExtra *oex;
+ AclCheck ak;
Debug( LDAP_DEBUG_TRACE, "=> " LDAP_XSTRING(bdb_search) "\n", 0, 0, 0);
attrs = op->oq_search.rs_attrs;
}
}
+ ak.ak_desc = slap_schema.si_ad_entry;
+ ak.ak_val = NULL;
+ ak.ak_state = NULL;
+
if ( e == NULL ) {
struct berval matched_dn = BER_BVNULL;
/* return referral only if "disclose"
* is granted on the object */
- if ( ! access_allowed( op, matched,
- slap_schema.si_ad_entry,
- NULL, ACL_DISCLOSE, NULL ) )
+ ak.ak_e = matched;
+ ak.ak_access = ACL_DISCLOSE;
+ if ( ! access_allowed( op, &ak ))
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
/* NOTE: __NEW__ "search" access is required
* on searchBase object */
- if ( ! access_allowed_mask( op, e, slap_schema.si_ad_entry,
- NULL, ACL_SEARCH, NULL, &mask ) )
+ ak.ak_e = e;
+ ak.ak_access = ACL_SEARCH;
+ if ( ! access_allowed( op, &ak ))
{
- if ( !ACL_GRANT( mask, ACL_DISCLOSE ) ) {
+ if ( !ACL_GRANT( ak.ak_mask, ACL_DISCLOSE ) ) {
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else {
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
LDAP_SLAPI_F (Modifications *) slapi_int_ldapmods2modifications LDAP_P(( Operation *op, LDAPMod ** ));
LDAP_SLAPI_F (int) slapi_int_count_controls LDAP_P(( LDAPControl **ctrls ));
LDAP_SLAPI_F (char **) slapi_get_supported_extended_ops LDAP_P((void));
-LDAP_SLAPI_F (int) slapi_int_access_allowed LDAP_P((Operation *op, Entry *entry, AttributeDescription *desc, struct berval *val, slap_access_t access, AccessControlState *state ));
+LDAP_SLAPI_F (int) slapi_int_access_allowed LDAP_P((Operation *op, AclCheck *ak ));
/* slapi_ops.c */
LDAP_SLAPI_F (int) slapi_int_response LDAP_P(( Slapi_Operation *op, SlapReply *rs ));
static int
slapi_over_access_allowed(
Operation *op,
- Entry *e,
- AttributeDescription *desc,
- struct berval *val,
- slap_access_t access,
- AccessControlState *state,
- slap_mask_t *maskp )
+ AclCheck *ak )
{
int rc;
Slapi_PBlock *pb;
pb = SLAPI_OPERATION_PBLOCK( op );
- rc = slapi_int_access_allowed( op, e, desc, val, access, state );
+ rc = slapi_int_access_allowed( op, ak );
if ( rc ) {
rc = SLAP_CB_CONTINUE;
}
struct berval *val, int access )
{
int rc;
- slap_access_t slap_access;
- AttributeDescription *ad = NULL;
const char *text;
+ AclCheck ak;
- rc = slap_str2ad( attr, &ad, &text );
+ ak.ak_desc = NULL;
+ rc = slap_str2ad( attr, &ak.ak_desc, &text );
if ( rc != LDAP_SUCCESS ) {
return rc;
}
*/
switch ( access & SLAPI_ACL_ALL ) {
case SLAPI_ACL_COMPARE:
- slap_access = ACL_COMPARE;
+ ak.ak_access = ACL_COMPARE;
break;
case SLAPI_ACL_SEARCH:
- slap_access = ACL_SEARCH;
+ ak.ak_access = ACL_SEARCH;
break;
case SLAPI_ACL_READ:
- slap_access = ACL_READ;
+ ak.ak_access = ACL_READ;
break;
case SLAPI_ACL_WRITE:
- slap_access = ACL_WRITE;
+ ak.ak_access = ACL_WRITE;
break;
case SLAPI_ACL_DELETE:
- slap_access = ACL_WDEL;
+ ak.ak_access = ACL_WDEL;
break;
case SLAPI_ACL_ADD:
- slap_access = ACL_WADD;
+ ak.ak_access = ACL_WADD;
break;
case SLAPI_ACL_SELF: /* not documented */
case SLAPI_ACL_PROXY: /* not documented */
assert( pb->pb_op != NULL );
- if ( access_allowed( pb->pb_op, e, ad, val, slap_access, NULL ) ) {
+ ak.ak_e = e;
+ ak.ak_val = val;
+ ak.ak_state = NULL;
+ if ( access_allowed( pb->pb_op, &ak )) {
return LDAP_SUCCESS;
}
}
int slapi_int_access_allowed( Operation *op,
- Entry *entry,
- AttributeDescription *desc,
- struct berval *val,
- slap_access_t access,
- AccessControlState *state )
+ AclCheck *ak )
{
int rc, slap_access = 0;
slapi_acl_callback_t *pGetPlugin, *tmpPlugin;
return 1;
}
- switch ( access ) {
+ switch ( ak->ak_access ) {
case ACL_COMPARE:
- slap_access |= SLAPI_ACL_COMPARE;
+ slap_access |= SLAPI_ACL_COMPARE;
break;
case ACL_SEARCH:
slap_access |= SLAPI_ACL_SEARCH;
* 0 access denied
* 1 access granted
*/
- rc = (*pGetPlugin)( pb, entry, desc->ad_cname.bv_val,
- val, slap_access, (void *)state );
+ rc = (*pGetPlugin)( pb, ak->ak_e, ak->ak_desc->ad_cname.bv_val,
+ ak->ak_val, slap_access, (void *)ak->ak_state );
if ( rc == 0 ) {
break;
}
projects / thirdparty / openldap.git / commitdiff
