From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 6 Oct 2020 13:10:33 +0000 (+0200)
Subject: s4:dsdb:acl_read: make use of aclread_check_object_visible() for the search base
X-Git-Tag: samba-4.12.10~28
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=376fd7e1c0f0191e48732297d6062e98cbf78407;p=thirdparty%2Fsamba.git

s4:dsdb:acl_read: make use of aclread_check_object_visible() for the search base

We should only have one place to do access checks.

Use 'git show -w' to see the minimal diff.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit faff8e6c89777c38443e561235073c336cfb2e9c)
---

diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c
index dca43bcab76..e9b3694c63c 100644
--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
@@ -742,7 +742,6 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req)
 	static const char * const _all_attrs[] = { "*", NULL };
 	bool all_attrs = false;
 	const char * const *attrs = NULL;
-	uint32_t instanceType;
 	static const char *acl_attrs[] = {
 		"instanceType",
 		NULL
@@ -848,22 +847,11 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req)
 			return ldb_error(ldb, ret,
 					"acl_read: Error retrieving instanceType for base.");
 		}
-		instanceType = ldb_msg_find_attr_as_uint(res->msgs[0],
-							"instanceType", 0);
-		if (instanceType != 0 && !(instanceType & INSTANCE_TYPE_IS_NC_HEAD))
-		{
-			/* the object has a parent, so we have to check for visibility */
-			struct ldb_dn *parent_dn = ldb_dn_get_parent(req, req->op.search.base);
-			ret = dsdb_module_check_access_on_dn(module,
-							     req,
-							     parent_dn,
-							     SEC_ADS_LIST,
-							     NULL, req);
-			if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
-				return ldb_module_done(req, NULL, NULL, LDB_ERR_NO_SUCH_OBJECT);
-			} else if (ret != LDB_SUCCESS) {
-				return ldb_module_done(req, NULL, NULL, ret);
-			}
+		ret = aclread_check_object_visible(ac, res->msgs[0], req);
+		if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
+			return ldb_module_done(req, NULL, NULL, LDB_ERR_NO_SUCH_OBJECT);
+		} else if (ret != LDB_SUCCESS) {
+			return ldb_module_done(req, NULL, NULL, ret);
 		}
 	}