New access_allowed()

author Howard Chu <hyc@openldap.org>

Sat, 12 Dec 2009 00:12:24 +0000 (00:12 +0000)

committer Howard Chu <hyc@openldap.org>

Sat, 12 Dec 2009 00:12:24 +0000 (00:12 +0000)
author Howard Chu <hyc@openldap.org>
Sat, 12 Dec 2009 00:12:24 +0000 (00:12 +0000)
committer Howard Chu <hyc@openldap.org>
Sat, 12 Dec 2009 00:12:24 +0000 (00:12 +0000)
diff --git a/servers/slapd/back-shell/add.c b/servers/slapd/back-shell/add.c

index b5e1c5c3338a765c6f45317c86d0a79cc29a0153..e4b5a59a7be7a2c46fb9b0fabd498e2d8d34b61e 100644 (file)
--- a/servers/slapd/back-shell/add.c
+++ b/servers/slapd/back-shell/add.c
@@ -44,9 +44,9 @@ shell_back_add(
      SlapReply  *rs )
  {
         struct shellinfo        *si = (struct shellinfo *) op->o_bd->be_private;
-       AttributeDescription *entry = slap_schema.si_ad_entry;
         FILE                    *rfp, *wfp;
         int                     len;
+       AclCheck ak = { op->ora_e, slap_schema.si_ad_entry, NULL, ACL_WADD, NULL };
  
         if ( si->si_add == NULL ) {
                 send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
@@ -54,8 +54,7 @@ shell_back_add(
                 return( -1 );
         }
  
-       if ( ! access_allowed( op, op->oq_add.rs_e,
-               entry, NULL, ACL_WADD, NULL ) )
+       if ( ! access_allowed( op, &ak ))
         {
                 send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
                 return -1;
diff --git a/servers/slapd/back-shell/bind.c b/servers/slapd/back-shell/bind.c

index cc5ce2d9462edfa3b0f74562a570d5e4911e3528..72f75f27682edf918d094d6519beb1598ed024d7 100644 (file)
--- a/servers/slapd/back-shell/bind.c
+++ b/servers/slapd/back-shell/bind.c
@@ -44,10 +44,10 @@ shell_back_bind(
      SlapReply          *rs )
  {
         struct shellinfo        *si = (struct shellinfo *) op->o_bd->be_private;
-       AttributeDescription *entry = slap_schema.si_ad_entry;
         Entry e;
         FILE                    *rfp, *wfp;
         int                     rc;
+       AclCheck        ak = { &e, slap_schema.si_ad_entry, NULL, ACL_AUTH, NULL };
  
         /* allow rootdn as a means to auth without the need to actually
          * contact the proxied DSA */
@@ -74,8 +74,7 @@ shell_back_bind(
         e.e_bv.bv_val = NULL;
         e.e_private = NULL;
  
-       if ( ! access_allowed( op, &e,
-               entry, NULL, ACL_AUTH, NULL ) )
+       if ( ! access_allowed( op, &ak ))
         {
                 send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
                 return -1;
diff --git a/servers/slapd/back-shell/compare.c b/servers/slapd/back-shell/compare.c

index 7c1460223df5364c681618a1bedb362acda82bbf..382bc252c9d90d8e8c8d6ed6a4b4786f4c12ed69 100644 (file)
--- a/servers/slapd/back-shell/compare.c
+++ b/servers/slapd/back-shell/compare.c
@@ -44,9 +44,9 @@ shell_back_compare(
      SlapReply  *rs )
  {
         struct shellinfo        *si = (struct shellinfo *) op->o_bd->be_private;
-       AttributeDescription *entry = slap_schema.si_ad_entry;
         Entry e;
         FILE                    *rfp, *wfp;
+       AclCheck        ak = { &e, slap_schema.si_ad_entry, NULL, ACL_COMPARE, NULL };
  
         if ( si->si_compare == NULL ) {
                 send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
@@ -63,8 +63,7 @@ shell_back_compare(
         e.e_bv.bv_val = NULL;
         e.e_private = NULL;
  
-       if ( ! access_allowed( op, &e,
-               entry, NULL, ACL_READ, NULL ) )
+       if ( ! access_allowed( op, &ak ))
         {
                 send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
                 return -1;
diff --git a/servers/slapd/back-shell/delete.c b/servers/slapd/back-shell/delete.c

index 35e0c8b41837fed7f3b5152a5b30f1708fcea6f7..ecbb15ef80be5889bbaa316828078229728b2ff6 100644 (file)
--- a/servers/slapd/back-shell/delete.c
+++ b/servers/slapd/back-shell/delete.c
@@ -44,9 +44,9 @@ shell_back_delete(
      SlapReply  *rs )
  {
         struct shellinfo        *si = (struct shellinfo *) op->o_bd->be_private;
-       AttributeDescription *entry = slap_schema.si_ad_entry;
         Entry e;
         FILE                    *rfp, *wfp;
+       AclCheck        ak = { &e, slap_schema.si_ad_entry, NULL, ACL_WDEL, NULL };
  
         if ( si->si_delete == NULL ) {
                 send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
@@ -63,8 +63,7 @@ shell_back_delete(
         e.e_bv.bv_val = NULL;
         e.e_private = NULL;
  
-       if ( ! access_allowed( op, &e,
-               entry, NULL, ACL_WDEL, NULL ) )
+       if ( ! access_allowed( op, &ak ))
         {
                 send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
                 return -1;
diff --git a/servers/slapd/back-shell/modify.c b/servers/slapd/back-shell/modify.c

index 1f0d1208bfa104bd99ad44dfe089f66c5ef0f3b1..70ccd49aa98e153d8586bfd66009fdb73a45d52a 100644 (file)
--- a/servers/slapd/back-shell/modify.c
+++ b/servers/slapd/back-shell/modify.c
@@ -45,11 +45,11 @@ shell_back_modify(
  {
         Modification *mod;
         struct shellinfo        *si = (struct shellinfo *) op->o_bd->be_private;
-       AttributeDescription *entry = slap_schema.si_ad_entry;
         Modifications *ml  = op->orm_modlist;
         Entry e;
         FILE                    *rfp, *wfp;
         int                     i;
+       AclCheck        ak = { &e, slap_schema.si_ad_entry, NULL, ACL_WRITE, NULL };
  
         if ( si->si_modify == NULL ) {
                 send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
@@ -66,8 +66,7 @@ shell_back_modify(
         e.e_bv.bv_val = NULL;
         e.e_private = NULL;
  
-       if ( ! access_allowed( op, &e,
-               entry, NULL, ACL_WRITE, NULL ) )
+       if ( ! access_allowed( op, &ak ))
         {
                 send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
                 return -1;
diff --git a/servers/slapd/back-shell/modrdn.c b/servers/slapd/back-shell/modrdn.c

index 93bcc59b900ab13d868bd40c518739c1e447bffa..bde9e522c0b058b00882e7ad3b0d5849dbf3c654 100644 (file)
--- a/servers/slapd/back-shell/modrdn.c
+++ b/servers/slapd/back-shell/modrdn.c
@@ -44,9 +44,9 @@ shell_back_modrdn(
      SlapReply  *rs )
  {
         struct shellinfo        *si = (struct shellinfo *) op->o_bd->be_private;
-       AttributeDescription *entry = slap_schema.si_ad_entry;
         Entry e;
         FILE                    *rfp, *wfp;
+       AclCheck        ak = { &e, slap_schema.si_ad_entry, NULL, ACL_WRITE, NULL };
  
         if ( si->si_modrdn == NULL ) {
                 send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
@@ -63,9 +63,9 @@ shell_back_modrdn(
         e.e_bv.bv_val = NULL;
         e.e_private = NULL;
  
-       if ( ! access_allowed( op, &e, entry, NULL,
-                       op->oq_modrdn.rs_newSup ? ACL_WDEL : ACL_WRITE,
-                       NULL ) )
+
+       if ( op->oq_modrdn.rs_newSup ) ak.ak_access = ACL_WDEL;
+       if ( ! access_allowed( op, &ak ))
         {
                 send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
                 return -1;
diff --git a/servers/slapd/back-sock/add.c b/servers/slapd/back-sock/add.c

index 8bf01333efd0da6dc6d484f6219bed6ded95e2fa..b77290b5cd0020d5a8922f1d063fd990b41218f4 100644 (file)
--- a/servers/slapd/back-sock/add.c
+++ b/servers/slapd/back-sock/add.c
@@ -34,12 +34,11 @@ sock_back_add(
      SlapReply  *rs )
  {
         struct sockinfo *si = (struct sockinfo *) op->o_bd->be_private;
-       AttributeDescription *entry = slap_schema.si_ad_entry;
         FILE                    *fp;
         int                     len;
+       AclCheck        ak = { op->ora_e, slap_schema.si_ad_entry, NULL, ACL_WADD, NULL };
  
-       if ( ! access_allowed( op, op->oq_add.rs_e,
-               entry, NULL, ACL_WADD, NULL ) )
+       if ( ! access_allowed( op, &ak ))
         {
                 send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
                 return -1;
diff --git a/servers/slapd/back-sock/bind.c b/servers/slapd/back-sock/bind.c

index 5737c28493e6b76cee3768196a6d92a1ae0fa8a8..a7561b63c470629502259c0af27abcba47199c7b 100644 (file)
--- a/servers/slapd/back-sock/bind.c
+++ b/servers/slapd/back-sock/bind.c
@@ -34,10 +34,10 @@ sock_back_bind(
      SlapReply          *rs )
  {
         struct sockinfo *si = (struct sockinfo *) op->o_bd->be_private;
-       AttributeDescription *entry = slap_schema.si_ad_entry;
         Entry e;
         FILE                    *fp;
         int                     rc;
+       AclCheck        ak = { &e, slap_schema.si_ad_entry, NULL, ACL_AUTH, NULL };
  
         e.e_id = NOID;
         e.e_name = op->o_req_dn;
@@ -48,8 +48,7 @@ sock_back_bind(
         e.e_bv.bv_val = NULL;
         e.e_private = NULL;
  
-       if ( ! access_allowed( op, &e,
-               entry, NULL, ACL_AUTH, NULL ) )
+       if ( ! access_allowed( op, &ak ))
         {
                 send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
                 return -1;
diff --git a/servers/slapd/back-sock/compare.c b/servers/slapd/back-sock/compare.c

index 3712b665efc8fa01e6e5118f80ace59083106dfc..ec4b82be43453aa86eec0b469e99fb81d1a5391d 100644 (file)
--- a/servers/slapd/back-sock/compare.c
+++ b/servers/slapd/back-sock/compare.c
@@ -34,9 +34,9 @@ sock_back_compare(
      SlapReply  *rs )
  {
         struct sockinfo *si = (struct sockinfo *) op->o_bd->be_private;
-       AttributeDescription *entry = slap_schema.si_ad_entry;
         Entry e;
         FILE                    *fp;
+       AclCheck        ak = { &e, slap_schema.si_ad_entry, NULL, ACL_COMPARE, NULL };
  
         e.e_id = NOID;
         e.e_name = op->o_req_dn;
@@ -47,8 +47,7 @@ sock_back_compare(
         e.e_bv.bv_val = NULL;
         e.e_private = NULL;
  
-       if ( ! access_allowed( op, &e,
-               entry, NULL, ACL_COMPARE, NULL ) )
+       if ( ! access_allowed( op, &ak ))
         {
                 send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
                 return -1;
diff --git a/servers/slapd/back-sock/delete.c b/servers/slapd/back-sock/delete.c

index daa85cc6538a5dfd40442358569d246d0a2be72f..d55130715ebe185b7d37f974a67df9d08ca99cd1 100644 (file)
--- a/servers/slapd/back-sock/delete.c
+++ b/servers/slapd/back-sock/delete.c
@@ -34,9 +34,9 @@ sock_back_delete(
      SlapReply  *rs )
  {
         struct sockinfo *si = (struct sockinfo *) op->o_bd->be_private;
-       AttributeDescription *entry = slap_schema.si_ad_entry;
         Entry e;
         FILE                    *fp;
+       AclCheck        ak = { &e, slap_schema.si_ad_entry, NULL, ACL_WDEL, NULL };
  
         e.e_id = NOID;
         e.e_name = op->o_req_dn;
@@ -47,8 +47,7 @@ sock_back_delete(
         e.e_bv.bv_val = NULL;
         e.e_private = NULL;
  
-       if ( ! access_allowed( op, &e,
-               entry, NULL, ACL_WDEL, NULL ) )
+       if ( ! access_allowed( op, &ak ))
         {
                 send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
                 return -1;
diff --git a/servers/slapd/back-sock/modify.c b/servers/slapd/back-sock/modify.c

index b332fb4d7fbcc8908cddd3d7dd8e576902ae5b53..d1f986d47787cfd0b0be62d93cfe4d10087872b0 100644 (file)
--- a/servers/slapd/back-sock/modify.c
+++ b/servers/slapd/back-sock/modify.c
@@ -35,11 +35,11 @@ sock_back_modify(
  {
         Modification *mod;
         struct sockinfo *si = (struct sockinfo *) op->o_bd->be_private;
-       AttributeDescription *entry = slap_schema.si_ad_entry;
         Modifications *ml  = op->orm_modlist;
         Entry e;
         FILE                    *fp;
         int                     i;
+       AclCheck        ak = { &e, slap_schema.si_ad_entry, NULL, ACL_WRITE, NULL };
  
         e.e_id = NOID;
         e.e_name = op->o_req_dn;
@@ -50,8 +50,7 @@ sock_back_modify(
         e.e_bv.bv_val = NULL;
         e.e_private = NULL;
  
-       if ( ! access_allowed( op, &e,
-               entry, NULL, ACL_WRITE, NULL ) )
+       if ( ! access_allowed( op, &ak ))
         {
                 send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
                 return -1;
diff --git a/servers/slapd/back-sock/modrdn.c b/servers/slapd/back-sock/modrdn.c

index 881f3a8bc2546a9f2ed84d10bde417a2474ab6dd..5efa95e33226d5c1cc6d1687f5cd7bea5f33f981 100644 (file)
--- a/servers/slapd/back-sock/modrdn.c
+++ b/servers/slapd/back-sock/modrdn.c
@@ -34,9 +34,9 @@ sock_back_modrdn(
      SlapReply  *rs )
  {
         struct sockinfo *si = (struct sockinfo *) op->o_bd->be_private;
-       AttributeDescription *entry = slap_schema.si_ad_entry;
         Entry e;
         FILE                    *fp;
+       AclCheck        ak = { &e, slap_schema.si_ad_entry, NULL, ACL_WRITE, NULL };
  
         e.e_id = NOID;
         e.e_name = op->o_req_dn;
@@ -47,9 +47,8 @@ sock_back_modrdn(
         e.e_bv.bv_val = NULL;
         e.e_private = NULL;
  
-       if ( ! access_allowed( op, &e, entry, NULL,
-                       op->oq_modrdn.rs_newSup ? ACL_WDEL : ACL_WRITE,
-                       NULL ) )
+       if ( op->oq_modrdn.rs_newSup ) ak.ak_access = ACL_WDEL;
+       if ( ! access_allowed( op, &ak ))
         {
                 send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
                 return -1;
author	Howard Chu <hyc@openldap.org>
	Sat, 12 Dec 2009 00:12:24 +0000 (00:12 +0000)
committer	Howard Chu <hyc@openldap.org>
	Sat, 12 Dec 2009 00:12:24 +0000 (00:12 +0000)
servers/slapd/back-shell/add.c		patch \| blob \| blame \| history
servers/slapd/back-shell/bind.c		patch \| blob \| blame \| history
servers/slapd/back-shell/compare.c		patch \| blob \| blame \| history
servers/slapd/back-shell/delete.c		patch \| blob \| blame \| history
servers/slapd/back-shell/modify.c		patch \| blob \| blame \| history
servers/slapd/back-shell/modrdn.c		patch \| blob \| blame \| history
servers/slapd/back-sock/add.c		patch \| blob \| blame \| history
servers/slapd/back-sock/bind.c		patch \| blob \| blame \| history
servers/slapd/back-sock/compare.c		patch \| blob \| blame \| history
servers/slapd/back-sock/delete.c		patch \| blob \| blame \| history
servers/slapd/back-sock/modify.c		patch \| blob \| blame \| history
servers/slapd/back-sock/modrdn.c		patch \| blob \| blame \| history