From: Stefan Metzmacher Date: Tue, 6 Oct 2020 13:10:33 +0000 (+0200) Subject: s4:dsdb:acl_read: fully set up 'struct aclread_context' before the search base acl... X-Git-Tag: samba-4.12.10~29 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f6af56ad68a416e4d8e0ee374036a6fcbe36fe91;p=thirdparty%2Fsamba.git s4:dsdb:acl_read: fully set up 'struct aclread_context' before the search base acl check This makes further change much easier. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531 Signed-off-by: Stefan Metzmacher Reviewed-by: Douglas Bagnall (cherry picked from commit c4a3028de726d6708f57d02f9162a4d62d1b6ae7) --- diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c index 9d088698e8c..dca43bcab76 100644 --- a/source4/dsdb/samdb/ldb_modules/acl_read.c +++ b/source4/dsdb/samdb/ldb_modules/acl_read.c @@ -763,36 +763,6 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req) return ldb_next_request(module, req); } - /* check accessibility of base */ - if (!ldb_dn_is_null(req->op.search.base)) { - ret = dsdb_module_search_dn(module, req, &res, req->op.search.base, - acl_attrs, - DSDB_FLAG_NEXT_MODULE | - DSDB_FLAG_AS_SYSTEM | - DSDB_SEARCH_SHOW_RECYCLED, - req); - if (ret != LDB_SUCCESS) { - return ldb_error(ldb, ret, - "acl_read: Error retrieving instanceType for base."); - } - instanceType = ldb_msg_find_attr_as_uint(res->msgs[0], - "instanceType", 0); - if (instanceType != 0 && !(instanceType & INSTANCE_TYPE_IS_NC_HEAD)) - { - /* the object has a parent, so we have to check for visibility */ - struct ldb_dn *parent_dn = ldb_dn_get_parent(req, req->op.search.base); - ret = dsdb_module_check_access_on_dn(module, - req, - parent_dn, - SEC_ADS_LIST, - NULL, req); - if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) { - return ldb_module_done(req, NULL, NULL, LDB_ERR_NO_SUCH_OBJECT); - } else if (ret != LDB_SUCCESS) { - return ldb_module_done(req, NULL, NULL, ret); - } - } - } ac = talloc_zero(req, struct aclread_context); if (ac == NULL) { return ldb_oom(ldb); @@ -865,6 +835,38 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req) } ac->attrs = req->op.search.attrs; + + /* check accessibility of base */ + if (!ldb_dn_is_null(req->op.search.base)) { + ret = dsdb_module_search_dn(module, req, &res, req->op.search.base, + acl_attrs, + DSDB_FLAG_NEXT_MODULE | + DSDB_FLAG_AS_SYSTEM | + DSDB_SEARCH_SHOW_RECYCLED, + req); + if (ret != LDB_SUCCESS) { + return ldb_error(ldb, ret, + "acl_read: Error retrieving instanceType for base."); + } + instanceType = ldb_msg_find_attr_as_uint(res->msgs[0], + "instanceType", 0); + if (instanceType != 0 && !(instanceType & INSTANCE_TYPE_IS_NC_HEAD)) + { + /* the object has a parent, so we have to check for visibility */ + struct ldb_dn *parent_dn = ldb_dn_get_parent(req, req->op.search.base); + ret = dsdb_module_check_access_on_dn(module, + req, + parent_dn, + SEC_ADS_LIST, + NULL, req); + if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) { + return ldb_module_done(req, NULL, NULL, LDB_ERR_NO_SUCH_OBJECT); + } else if (ret != LDB_SUCCESS) { + return ldb_module_done(req, NULL, NULL, ret); + } + } + } + ret = ldb_build_search_req_ex(&down_req, ldb, ac, req->op.search.base,