From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 2 Jan 2013 04:01:23 +0000 (+1100)
Subject: dsdb-acl: Use the structural objectClass in acl_check_access_on_attribute()
X-Git-Tag: ldb-1.1.15~58
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6a4063f30273ff184364f276c5206c3507f37644;p=thirdparty%2Fsamba.git

dsdb-acl: Use the structural objectClass in acl_check_access_on_attribute()

This commit enters the GUID into the object tree so that that access
rights assigned to the structural objectClass are also available, as
well as rights assigned to the attribute property groups.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source4/dsdb/samdb/ldb_modules/acl_util.c b/source4/dsdb/samdb/ldb_modules/acl_util.c
index 95ab2752c7c..09ca201d949 100644
--- a/source4/dsdb/samdb/ldb_modules/acl_util.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_util.c
@@ -107,30 +107,30 @@ int acl_check_access_on_attribute(struct ldb_module *module,
 	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
 	struct security_token *token = acl_user_token(module);
 
+	if (!insert_in_object_tree(tmp_ctx,
+				   &objectclass->schemaIDGUID,
+				   access_mask, &root,
+				   &new_node)) {
+		DEBUG(10, ("acl_search: cannot add to object tree class schemaIDGUID\n"));
+		goto fail;
+	}
+
 	if (!GUID_all_zero(&attr->attributeSecurityGUID)) {
 		if (!insert_in_object_tree(tmp_ctx,
 					   &attr->attributeSecurityGUID,
-					   access_mask, &root,
+					   access_mask, &new_node,
 					   &new_node)) {
 			DEBUG(10, ("acl_search: cannot add to object tree securityGUID\n"));
 			goto fail;
 		}
+	}
 
-		if (!insert_in_object_tree(tmp_ctx,
-					   &attr->schemaIDGUID,
-					   access_mask, &new_node,
-					   &new_node)) {
-			DEBUG(10, ("acl_search: cannot add to object tree attributeGUID\n"));
-			goto fail;
-		}
-	} else {
-		if (!insert_in_object_tree(tmp_ctx,
-					   &attr->schemaIDGUID,
-					   access_mask, &root,
-					   &new_node)) {
-			DEBUG(10, ("acl_search: cannot add to object tree attributeGUID\n"));
-			goto fail;
-		}
+	if (!insert_in_object_tree(tmp_ctx,
+				   &attr->schemaIDGUID,
+				   access_mask, &new_node,
+				   &new_node)) {
+		DEBUG(10, ("acl_search: cannot add to object tree attributeGUID\n"));
+		goto fail;
 	}
 
 	status = sec_access_check_ds(sd, token,