From: Ondřej Kuzník <ondra@mistotebe.net>
Date: Tue, 7 Apr 2015 18:53:10 +0000 (+0100)
Subject: ITS#8057 Use an actual entry for modify/modrdn checks
X-Git-Tag: OPENLDAP_REL_ENG_2_5_0ALPHA~141^2~76
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cf3e10ee15534f3b17385a3d45d6ce15ec34e2cc;p=thirdparty%2Fopenldap.git

ITS#8057 Use an actual entry for modify/modrdn checks
---

diff --git a/servers/slapd/overlays/unique.c b/servers/slapd/overlays/unique.c
index 53158461bc..c6bb780d76 100644
--- a/servers/slapd/overlays/unique.c
+++ b/servers/slapd/overlays/unique.c
@@ -1162,6 +1162,7 @@ unique_modify(
 	unique_domain *domain;
 	Operation nop = *op;
 	Modifications *m;
+	Entry *e = NULL;
 	char *key, *kp;
 	struct berval bvkey;
 	int rc = SLAP_CB_CONTINUE;
@@ -1172,12 +1173,18 @@ unique_modify(
 	/* skip the checks if the operation has manageDsaIt control in it
 	 * (for replication) */
 	if ( op->o_managedsait > SLAP_CONTROL_IGNORED
-	     && access_allowed ( op, op->ora_e,
+	     && overlay_entry_get_ov(op, &op->o_req_ndn, NULL, NULL, 0, &e, on) == LDAP_SUCCESS
+	     && e
+	     && access_allowed ( op, e,
 				 slap_schema.si_ad_entry, NULL,
 				 ACL_MANAGE, NULL ) ) {
 		Debug(LDAP_DEBUG_TRACE, "unique_modify: administrative bypass, skipping\n", 0, 0, 0);
+		overlay_entry_release_ov( op, e, 0, on );
 		return rc;
 	}
+	if ( e ) {
+		overlay_entry_release_ov( op, e, 0, on );
+	}
 
 	for ( domain = legacy ? legacy : domains;
 	      domain;
@@ -1284,6 +1291,7 @@ unique_modrdn(
 	unique_domain *legacy = private->legacy;
 	unique_domain *domain;
 	Operation nop = *op;
+	Entry *e = NULL;
 	char *key, *kp;
 	struct berval bvkey;
 	LDAPRDN	newrdn;
@@ -1296,12 +1304,18 @@ unique_modrdn(
 	/* skip the checks if the operation has manageDsaIt control in it
 	 * (for replication) */
 	if ( op->o_managedsait > SLAP_CONTROL_IGNORED
-	     && access_allowed ( op, op->ora_e,
+	     && overlay_entry_get_ov(op, &op->o_req_ndn, NULL, NULL, 0, &e, on) == LDAP_SUCCESS
+	     && e
+	     && access_allowed ( op, e,
 				 slap_schema.si_ad_entry, NULL,
 				 ACL_MANAGE, NULL ) ) {
 		Debug(LDAP_DEBUG_TRACE, "unique_modrdn: administrative bypass, skipping\n", 0, 0, 0);
+		overlay_entry_release_ov( op, e, 0, on );
 		return rc;
 	}
+	if ( e ) {
+		overlay_entry_release_ov( op, e, 0, on );
+	}
 
 	for ( domain = legacy ? legacy : domains;
 	      domain;