From: Kurt Zeilenga <kurt@openldap.org>
Date: Tue, 15 Jan 2002 16:28:13 +0000 (+0000)
Subject: disallow selfwriters from deleting all values with replace
X-Git-Tag: OPENLDAP_REL_ENG_2_0_21~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=59ef329ca171efd2d35549218d3086d8c6bc463b;p=thirdparty%2Fopenldap.git

disallow selfwriters from deleting all values with replace
---

diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index c813eda544..56ff6c172d 100644
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -899,16 +899,20 @@ acl_check_modlist(
 
 		switch ( mlist->sml_op ) {
 		case LDAP_MOD_REPLACE:
-			if ( mlist->sml_bvalues == NULL ) {
-				if ( ! access_allowed( be, conn, op, e,
-					mlist->sml_desc, NULL, ACL_WRITE ) )
-				{
-					return( 0 );
-				}
-				break;
+			/*
+			 * We must check both permission to delete the whole
+			 * attribute and permission to add the specific attributes.
+			 * This prevents abuse from selfwriters.
+			 */
+			if ( ! access_allowed( be, conn, op, e,
+				mlist->sml_desc, NULL, ACL_WRITE ) )
+			{
+				return( 0 );
 			}
 
-			/* fall thru */
+			if ( mlist->sml_bvalues == NULL ) break;
+
+			/* fall thru to check value to add */
 
 		case LDAP_MOD_ADD:
 			assert( mlist->sml_bvalues != NULL );