From: Jeremy Allison <jra@samba.org>
Date: Mon, 5 May 2008 23:24:52 +0000 (-0700)
Subject: Try and fix bug #5095, "Manage Documents privilege is not functional".
X-Git-Tag: samba-4.0.0alpha6~801^2~1517
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fbc780b60478bb8b30927beacdf65a9a766b2ca1;p=thirdparty%2Fsamba.git

Try and fix bug #5095, "Manage Documents privilege is not functional".
Should map the created sd to printer jobs, not printer.
Jerry please test and I'll add to 3.2 if it passes. Thanks,
Jeremy.
(This used to be commit 0a1fe8d6013d925ab6695f6b7f189b731ec42ccc)
---

diff --git a/source3/include/rpc_spoolss.h b/source3/include/rpc_spoolss.h
index aff0bba4445..98f6110f7a2 100644
--- a/source3/include/rpc_spoolss.h
+++ b/source3/include/rpc_spoolss.h
@@ -164,6 +164,7 @@
 #define PRINTER_ACCESS_ADMINISTER	0x00000004
 #define PRINTER_ACCESS_USE		0x00000008
 #define JOB_ACCESS_ADMINISTER		0x00000010
+#define JOB_ACCESS_READ			0x00000020
 
 /* JOB status codes. */
 
@@ -193,10 +194,10 @@
 #define PRINTER_EXECUTE       STANDARD_RIGHTS_EXECUTE_ACCESS|PRINTER_ACCESS_USE
 
 /* Access rights for jobs */
-#define JOB_ALL_ACCESS	STANDARD_RIGHTS_REQUIRED_ACCESS|JOB_ACCESS_ADMINISTER
-#define JOB_READ	STANDARD_RIGHTS_READ_ACCESS|JOB_ACCESS_ADMINISTER
-#define JOB_WRITE	STANDARD_RIGHTS_WRITE_ACCESS|JOB_ACCESS_ADMINISTER
-#define JOB_EXECUTE	STANDARD_RIGHTS_EXECUTE_ACCESS|JOB_ACCESS_ADMINISTER
+#define JOB_ALL_ACCESS	STANDARD_RIGHTS_REQUIRED_ACCESS|JOB_ACCESS_ADMINISTER|JOB_ACCESS_READ|PRINTER_ACCESS_USE
+#define JOB_READ	STANDARD_RIGHTS_READ_ACCESS|JOB_ACCESS_ADMINISTER|JOB_ACCESS_READ
+#define JOB_WRITE	STANDARD_RIGHTS_WRITE_ACCESS|JOB_ACCESS_ADMINISTER|PRINTER_ACCESS_USE
+#define JOB_EXECUTE	STANDARD_RIGHTS_EXECUTE_ACCESS|JOB_ACCESS_ADMINISTER|PRINTER_ACCESS_USE
 
 /* ACE masks for the various print permissions */
 
diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c
index c31a48c5859..a66b1e5c5f6 100644
--- a/source3/printing/nt_printing.c
+++ b/source3/printing/nt_printing.c
@@ -72,6 +72,15 @@ const struct generic_mapping printserver_std_mapping = {
 	SERVER_ALL_ACCESS
 };
 
+/* Map generic permissions to job object specific permissions */
+
+const struct generic_mapping job_generic_mapping = {
+	JOB_READ,
+	JOB_WRITE,
+	JOB_EXECUTE,
+	JOB_ALL_ACCESS
+};
+
 /* We need one default form to support our default printer. Msoft adds the
 forms it wants and in the ORDER it wants them (note: DEVMODE papersize is an
 array index). Letter is always first, so (for the current code) additions
@@ -5719,6 +5728,17 @@ void map_printer_permissions(SEC_DESC *sd)
 	}
 }
 
+void map_job_permissions(SEC_DESC *sd)
+{
+	int i;
+
+	for (i = 0; sd->dacl && i < sd->dacl->num_aces; i++) {
+		se_map_generic(&sd->dacl->aces[i].access_mask,
+			       &job_generic_mapping);
+	}
+}
+
+
 /****************************************************************************
  Check a user has permissions to perform the given operation.  We use the
  permission constants defined in include/rpc_spoolss.h to check the various
@@ -5800,19 +5820,12 @@ bool print_access_check(struct current_user *user, int snum, int access_type)
 			return False;
 		}
 
-		/* Now this is the bit that really confuses me.  The access
-		   type needs to be changed from JOB_ACCESS_ADMINISTER to
-		   PRINTER_ACCESS_ADMINISTER for this to work.  Something
-		   to do with the child (job) object becoming like a
-		   printer??  -tpot */
-
-		access_type = PRINTER_ACCESS_ADMINISTER;
+		map_job_permissions(secdesc->sd);
+	} else {
+		map_printer_permissions(secdesc->sd);
 	}
-	
-	/* Check access */
-	
-	map_printer_permissions(secdesc->sd);
 
+	/* Check access */
 	result = se_access_check(secdesc->sd, user->nt_user_token, access_type,
 				 &access_granted, &status);