From 5b4b96b3b1733c1e6f1893fe6c46ab7c70ee8210 Mon Sep 17 00:00:00 2001
From: Kurt Zeilenga <kurt@openldap.org>
Date: Mon, 14 Jan 2002 17:47:39 +0000
Subject: [PATCH] ITS#1530: fix ACLs on empty replace bug

---
 CHANGES             |  1 +
 servers/slapd/acl.c | 16 +++++++++++++++-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index e77bd1edd1..3aeda17a65 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,7 @@
 OpenLDAP 2.0 Change Log
 
 OpenLDAP 2.0.20 Engineering
+	Fixed slapd ACL empty replace bug (ITS#1530)
 	Fixed slapd ACL peername/sockname exact match bug (ITS#1516)
 	Fixed back-passwd db_config bug
 	Fixed -lldap cache debug bug (ITS#1501)
diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index 43cdfbd1d9..c813eda544 100644
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -899,10 +899,20 @@ acl_check_modlist(
 
 		switch ( mlist->sml_op ) {
 		case LDAP_MOD_REPLACE:
-		case LDAP_MOD_ADD:
 			if ( mlist->sml_bvalues == NULL ) {
+				if ( ! access_allowed( be, conn, op, e,
+					mlist->sml_desc, NULL, ACL_WRITE ) )
+				{
+					return( 0 );
+				}
 				break;
 			}
+
+			/* fall thru */
+
+		case LDAP_MOD_ADD:
+			assert( mlist->sml_bvalues != NULL );
+
 			for ( i = 0; mlist->sml_bvalues[i] != NULL; i++ ) {
 				if ( ! access_allowed( be, conn, op, e,
 					mlist->sml_desc, mlist->sml_bvalues[i], ACL_WRITE ) )
@@ -929,6 +939,10 @@ acl_check_modlist(
 				}
 			}
 			break;
+
+		default:
+			assert( 0 );
+			return( 0 );
 		}
 	}
 
-- 
2.47.2