From: Howard Chu <hyc@openldap.org>
Date: Fri, 11 Dec 2009 06:03:26 +0000 (+0000)
Subject: New access_allowed()
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6c6339cb435d2810555aad803c21aa5942d6b113;p=thirdparty%2Fopenldap.git

New access_allowed()
---

diff --git a/servers/slapd/back-monitor/compare.c b/servers/slapd/back-monitor/compare.c
index 4481f0ea22..602dec40de 100644
--- a/servers/slapd/back-monitor/compare.c
+++ b/servers/slapd/back-monitor/compare.c
@@ -33,15 +33,20 @@ monitor_back_compare( Operation *op, SlapReply *rs )
 	Entry           *e, *matched = NULL;
 	Attribute	*a;
 	int		rc;
+	AclCheck	ak;
+
+	ak.ak_state = NULL;
 
 	/* get entry with reader lock */
 	monitor_cache_dn2entry( op, rs, &op->o_req_ndn, &e, &matched );
 	if ( e == NULL ) {
 		rs->sr_err = LDAP_NO_SUCH_OBJECT;
 		if ( matched ) {
-			if ( !access_allowed_mask( op, matched,
-					slap_schema.si_ad_entry,
-					NULL, ACL_DISCLOSE, NULL, NULL ) )
+			ak.ak_e = matched;
+			ak.ak_desc = slap_schema.si_ad_entry;
+			ak.ak_val = NULL;
+			ak.ak_access = ACL_DISCLOSE;
+			if ( !access_allowed( op, &ak ))
 			{
 				/* do nothing */ ;
 			} else {
@@ -57,8 +62,11 @@ monitor_back_compare( Operation *op, SlapReply *rs )
 		return rs->sr_err;
 	}
 
-	rs->sr_err = access_allowed( op, e, op->oq_compare.rs_ava->aa_desc,
-			&op->oq_compare.rs_ava->aa_value, ACL_COMPARE, NULL );
+	ak.ak_e = e;
+	ak.ak_desc = op->oq_compare.rs_ava->aa_desc;
+	ak.ak_val = &op->oq_compare.rs_ava->aa_value;
+	ak.ak_access = ACL_COMPARE;
+	rs->sr_err = access_allowed( op, &ak );
 	if ( !rs->sr_err ) {
 		rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
 		goto return_results;
@@ -94,8 +102,10 @@ return_results:;
 		break;
 
 	default:
-		if ( !access_allowed_mask( op, e, slap_schema.si_ad_entry,
-				NULL, ACL_DISCLOSE, NULL, NULL ) )
+		ak.ak_desc = slap_schema.si_ad_entry;
+		ak.ak_val = NULL;
+		ak.ak_access = ACL_DISCLOSE;
+		if ( !access_allowed( op, &ak ))
 		{
 			rs->sr_err = LDAP_NO_SUCH_OBJECT;
 		}
diff --git a/servers/slapd/back-monitor/modify.c b/servers/slapd/back-monitor/modify.c
index 53d7711281..ad094325fd 100644
--- a/servers/slapd/back-monitor/modify.c
+++ b/servers/slapd/back-monitor/modify.c
@@ -37,6 +37,7 @@ monitor_back_modify( Operation *op, SlapReply *rs )
 	monitor_info_t	*mi = ( monitor_info_t * )op->o_bd->be_private;
 	Entry		*matched;
 	Entry		*e;
+	AclCheck	ak;
 
 	Debug(LDAP_DEBUG_ARGS, "monitor_back_modify:\n", 0, 0, 0);
 
@@ -45,9 +46,12 @@ monitor_back_modify( Operation *op, SlapReply *rs )
 	if ( e == NULL ) {
 		rs->sr_err = LDAP_NO_SUCH_OBJECT;
 		if ( matched ) {
-			if ( !access_allowed_mask( op, matched,
-					slap_schema.si_ad_entry,
-					NULL, ACL_DISCLOSE, NULL, NULL ) )
+			ak.ak_e = matched;
+			ak.ak_desc = slap_schema.si_ad_entry;
+			ak.ak_val = NULL;
+			ak.ak_access = ACL_DISCLOSE;
+			ak.ak_state = NULL;
+			if ( !access_allowed( op, &ak ))
 			{
 				/* do nothing */ ;
 			} else {
@@ -73,8 +77,12 @@ monitor_back_modify( Operation *op, SlapReply *rs )
 	}
 
 	if ( rc != LDAP_SUCCESS ) {
-		if ( !access_allowed_mask( op, e, slap_schema.si_ad_entry,
-				NULL, ACL_DISCLOSE, NULL, NULL ) )
+		ak.ak_e = e;
+		ak.ak_desc = slap_schema.si_ad_entry;
+		ak.ak_val = NULL;
+		ak.ak_access = ACL_DISCLOSE;
+		ak.ak_state = NULL;
+		if ( !access_allowed( op, &ak ))
 		{
 			rc = LDAP_NO_SUCH_OBJECT;
 		}
diff --git a/servers/slapd/back-monitor/search.c b/servers/slapd/back-monitor/search.c
index 7ca90080a2..b730adaa90 100644
--- a/servers/slapd/back-monitor/search.c
+++ b/servers/slapd/back-monitor/search.c
@@ -164,19 +164,21 @@ monitor_back_search( Operation *op, SlapReply *rs )
 	monitor_info_t	*mi = ( monitor_info_t * )op->o_bd->be_private;
 	int		rc = LDAP_SUCCESS;
 	Entry		*e = NULL, *matched = NULL;
-	slap_mask_t	mask;
+	AclCheck	ak;
 
 	Debug( LDAP_DEBUG_TRACE, "=> monitor_back_search\n", 0, 0, 0 );
 
-
+	ak.ak_desc = slap_schema.si_ad_entry;
+	ak.ak_val = NULL;
+	ak.ak_state = NULL;
 	/* get entry with reader lock */
 	monitor_cache_dn2entry( op, rs, &op->o_req_ndn, &e, &matched );
 	if ( e == NULL ) {
 		rs->sr_err = LDAP_NO_SUCH_OBJECT;
 		if ( matched ) {
-			if ( !access_allowed_mask( op, matched,
-					slap_schema.si_ad_entry,
-					NULL, ACL_DISCLOSE, NULL, NULL ) )
+			ak.ak_e = matched;
+			ak.ak_access = ACL_DISCLOSE;
+			if ( !access_allowed( op, &ak ))
 			{
 				/* do nothing */ ;
 			} else {
@@ -195,12 +197,13 @@ monitor_back_search( Operation *op, SlapReply *rs )
 
 	/* NOTE: __NEW__ "search" access is required
 	 * on searchBase object */
-	if ( !access_allowed_mask( op, e, slap_schema.si_ad_entry,
-				NULL, ACL_SEARCH, NULL, &mask ) )
+	ak.ak_e = e;
+	ak.ak_access = ACL_SEARCH;
+	if ( !access_allowed( op, &ak ))
 	{
 		monitor_cache_release( mi, e );
 
-		if ( !ACL_GRANT( mask, ACL_DISCLOSE ) ) {
+		if ( !ACL_GRANT( ak.ak_mask, ACL_DISCLOSE ) ) {
 			rs->sr_err = LDAP_NO_SUCH_OBJECT;
 		} else {
 			rs->sr_err = LDAP_INSUFFICIENT_ACCESS;