Commit d03f5dc5 authored by Howard Chu's avatar Howard Chu
Browse files

New access_allowed()

parent 2b01593a
...@@ -44,9 +44,9 @@ shell_back_add( ...@@ -44,9 +44,9 @@ shell_back_add(
SlapReply *rs ) SlapReply *rs )
{ {
struct shellinfo *si = (struct shellinfo *) op->o_bd->be_private; struct shellinfo *si = (struct shellinfo *) op->o_bd->be_private;
AttributeDescription *entry = slap_schema.si_ad_entry;
FILE *rfp, *wfp; FILE *rfp, *wfp;
int len; int len;
AclCheck ak = { op->ora_e, slap_schema.si_ad_entry, NULL, ACL_WADD, NULL };
if ( si->si_add == NULL ) { if ( si->si_add == NULL ) {
send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
...@@ -54,8 +54,7 @@ shell_back_add( ...@@ -54,8 +54,7 @@ shell_back_add(
return( -1 ); return( -1 );
} }
if ( ! access_allowed( op, op->oq_add.rs_e, if ( ! access_allowed( op, &ak ))
entry, NULL, ACL_WADD, NULL ) )
{ {
send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL ); send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
return -1; return -1;
......
...@@ -44,10 +44,10 @@ shell_back_bind( ...@@ -44,10 +44,10 @@ shell_back_bind(
SlapReply *rs ) SlapReply *rs )
{ {
struct shellinfo *si = (struct shellinfo *) op->o_bd->be_private; struct shellinfo *si = (struct shellinfo *) op->o_bd->be_private;
AttributeDescription *entry = slap_schema.si_ad_entry;
Entry e; Entry e;
FILE *rfp, *wfp; FILE *rfp, *wfp;
int rc; int rc;
AclCheck ak = { &e, slap_schema.si_ad_entry, NULL, ACL_AUTH, NULL };
/* allow rootdn as a means to auth without the need to actually /* allow rootdn as a means to auth without the need to actually
* contact the proxied DSA */ * contact the proxied DSA */
...@@ -74,8 +74,7 @@ shell_back_bind( ...@@ -74,8 +74,7 @@ shell_back_bind(
e.e_bv.bv_val = NULL; e.e_bv.bv_val = NULL;
e.e_private = NULL; e.e_private = NULL;
if ( ! access_allowed( op, &e, if ( ! access_allowed( op, &ak ))
entry, NULL, ACL_AUTH, NULL ) )
{ {
send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL ); send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
return -1; return -1;
......
...@@ -44,9 +44,9 @@ shell_back_compare( ...@@ -44,9 +44,9 @@ shell_back_compare(
SlapReply *rs ) SlapReply *rs )
{ {
struct shellinfo *si = (struct shellinfo *) op->o_bd->be_private; struct shellinfo *si = (struct shellinfo *) op->o_bd->be_private;
AttributeDescription *entry = slap_schema.si_ad_entry;
Entry e; Entry e;
FILE *rfp, *wfp; FILE *rfp, *wfp;
AclCheck ak = { &e, slap_schema.si_ad_entry, NULL, ACL_COMPARE, NULL };
if ( si->si_compare == NULL ) { if ( si->si_compare == NULL ) {
send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
...@@ -63,8 +63,7 @@ shell_back_compare( ...@@ -63,8 +63,7 @@ shell_back_compare(
e.e_bv.bv_val = NULL; e.e_bv.bv_val = NULL;
e.e_private = NULL; e.e_private = NULL;
if ( ! access_allowed( op, &e, if ( ! access_allowed( op, &ak ))
entry, NULL, ACL_READ, NULL ) )
{ {
send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL ); send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
return -1; return -1;
......
...@@ -44,9 +44,9 @@ shell_back_delete( ...@@ -44,9 +44,9 @@ shell_back_delete(
SlapReply *rs ) SlapReply *rs )
{ {
struct shellinfo *si = (struct shellinfo *) op->o_bd->be_private; struct shellinfo *si = (struct shellinfo *) op->o_bd->be_private;
AttributeDescription *entry = slap_schema.si_ad_entry;
Entry e; Entry e;
FILE *rfp, *wfp; FILE *rfp, *wfp;
AclCheck ak = { &e, slap_schema.si_ad_entry, NULL, ACL_WDEL, NULL };
if ( si->si_delete == NULL ) { if ( si->si_delete == NULL ) {
send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
...@@ -63,8 +63,7 @@ shell_back_delete( ...@@ -63,8 +63,7 @@ shell_back_delete(
e.e_bv.bv_val = NULL; e.e_bv.bv_val = NULL;
e.e_private = NULL; e.e_private = NULL;
if ( ! access_allowed( op, &e, if ( ! access_allowed( op, &ak ))
entry, NULL, ACL_WDEL, NULL ) )
{ {
send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL ); send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
return -1; return -1;
......
...@@ -45,11 +45,11 @@ shell_back_modify( ...@@ -45,11 +45,11 @@ shell_back_modify(
{ {
Modification *mod; Modification *mod;
struct shellinfo *si = (struct shellinfo *) op->o_bd->be_private; struct shellinfo *si = (struct shellinfo *) op->o_bd->be_private;
AttributeDescription *entry = slap_schema.si_ad_entry;
Modifications *ml = op->orm_modlist; Modifications *ml = op->orm_modlist;
Entry e; Entry e;
FILE *rfp, *wfp; FILE *rfp, *wfp;
int i; int i;
AclCheck ak = { &e, slap_schema.si_ad_entry, NULL, ACL_WRITE, NULL };
if ( si->si_modify == NULL ) { if ( si->si_modify == NULL ) {
send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
...@@ -66,8 +66,7 @@ shell_back_modify( ...@@ -66,8 +66,7 @@ shell_back_modify(
e.e_bv.bv_val = NULL; e.e_bv.bv_val = NULL;
e.e_private = NULL; e.e_private = NULL;
if ( ! access_allowed( op, &e, if ( ! access_allowed( op, &ak ))
entry, NULL, ACL_WRITE, NULL ) )
{ {
send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL ); send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
return -1; return -1;
......
...@@ -44,9 +44,9 @@ shell_back_modrdn( ...@@ -44,9 +44,9 @@ shell_back_modrdn(
SlapReply *rs ) SlapReply *rs )
{ {
struct shellinfo *si = (struct shellinfo *) op->o_bd->be_private; struct shellinfo *si = (struct shellinfo *) op->o_bd->be_private;
AttributeDescription *entry = slap_schema.si_ad_entry;
Entry e; Entry e;
FILE *rfp, *wfp; FILE *rfp, *wfp;
AclCheck ak = { &e, slap_schema.si_ad_entry, NULL, ACL_WRITE, NULL };
if ( si->si_modrdn == NULL ) { if ( si->si_modrdn == NULL ) {
send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM, send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
...@@ -63,9 +63,9 @@ shell_back_modrdn( ...@@ -63,9 +63,9 @@ shell_back_modrdn(
e.e_bv.bv_val = NULL; e.e_bv.bv_val = NULL;
e.e_private = NULL; e.e_private = NULL;
if ( ! access_allowed( op, &e, entry, NULL,
op->oq_modrdn.rs_newSup ? ACL_WDEL : ACL_WRITE, if ( op->oq_modrdn.rs_newSup ) ak.ak_access = ACL_WDEL;
NULL ) ) if ( ! access_allowed( op, &ak ))
{ {
send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL ); send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
return -1; return -1;
......
...@@ -34,12 +34,11 @@ sock_back_add( ...@@ -34,12 +34,11 @@ sock_back_add(
SlapReply *rs ) SlapReply *rs )
{ {
struct sockinfo *si = (struct sockinfo *) op->o_bd->be_private; struct sockinfo *si = (struct sockinfo *) op->o_bd->be_private;
AttributeDescription *entry = slap_schema.si_ad_entry;
FILE *fp; FILE *fp;
int len; int len;
AclCheck ak = { op->ora_e, slap_schema.si_ad_entry, NULL, ACL_WADD, NULL };
if ( ! access_allowed( op, op->oq_add.rs_e, if ( ! access_allowed( op, &ak ))
entry, NULL, ACL_WADD, NULL ) )
{ {
send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL ); send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
return -1; return -1;
......
...@@ -34,10 +34,10 @@ sock_back_bind( ...@@ -34,10 +34,10 @@ sock_back_bind(
SlapReply *rs ) SlapReply *rs )
{ {
struct sockinfo *si = (struct sockinfo *) op->o_bd->be_private; struct sockinfo *si = (struct sockinfo *) op->o_bd->be_private;
AttributeDescription *entry = slap_schema.si_ad_entry;
Entry e; Entry e;
FILE *fp; FILE *fp;
int rc; int rc;
AclCheck ak = { &e, slap_schema.si_ad_entry, NULL, ACL_AUTH, NULL };
e.e_id = NOID; e.e_id = NOID;
e.e_name = op->o_req_dn; e.e_name = op->o_req_dn;
...@@ -48,8 +48,7 @@ sock_back_bind( ...@@ -48,8 +48,7 @@ sock_back_bind(
e.e_bv.bv_val = NULL; e.e_bv.bv_val = NULL;
e.e_private = NULL; e.e_private = NULL;
if ( ! access_allowed( op, &e, if ( ! access_allowed( op, &ak ))
entry, NULL, ACL_AUTH, NULL ) )
{ {
send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL ); send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
return -1; return -1;
......
...@@ -34,9 +34,9 @@ sock_back_compare( ...@@ -34,9 +34,9 @@ sock_back_compare(
SlapReply *rs ) SlapReply *rs )
{ {
struct sockinfo *si = (struct sockinfo *) op->o_bd->be_private; struct sockinfo *si = (struct sockinfo *) op->o_bd->be_private;
AttributeDescription *entry = slap_schema.si_ad_entry;
Entry e; Entry e;
FILE *fp; FILE *fp;
AclCheck ak = { &e, slap_schema.si_ad_entry, NULL, ACL_COMPARE, NULL };
e.e_id = NOID; e.e_id = NOID;
e.e_name = op->o_req_dn; e.e_name = op->o_req_dn;
...@@ -47,8 +47,7 @@ sock_back_compare( ...@@ -47,8 +47,7 @@ sock_back_compare(
e.e_bv.bv_val = NULL; e.e_bv.bv_val = NULL;
e.e_private = NULL; e.e_private = NULL;
if ( ! access_allowed( op, &e, if ( ! access_allowed( op, &ak ))
entry, NULL, ACL_COMPARE, NULL ) )
{ {
send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL ); send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
return -1; return -1;
......
...@@ -34,9 +34,9 @@ sock_back_delete( ...@@ -34,9 +34,9 @@ sock_back_delete(
SlapReply *rs ) SlapReply *rs )
{ {
struct sockinfo *si = (struct sockinfo *) op->o_bd->be_private; struct sockinfo *si = (struct sockinfo *) op->o_bd->be_private;
AttributeDescription *entry = slap_schema.si_ad_entry;
Entry e; Entry e;
FILE *fp; FILE *fp;
AclCheck ak = { &e, slap_schema.si_ad_entry, NULL, ACL_WDEL, NULL };
e.e_id = NOID; e.e_id = NOID;
e.e_name = op->o_req_dn; e.e_name = op->o_req_dn;
...@@ -47,8 +47,7 @@ sock_back_delete( ...@@ -47,8 +47,7 @@ sock_back_delete(
e.e_bv.bv_val = NULL; e.e_bv.bv_val = NULL;
e.e_private = NULL; e.e_private = NULL;
if ( ! access_allowed( op, &e, if ( ! access_allowed( op, &ak ))
entry, NULL, ACL_WDEL, NULL ) )
{ {
send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL ); send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
return -1; return -1;
......
...@@ -35,11 +35,11 @@ sock_back_modify( ...@@ -35,11 +35,11 @@ sock_back_modify(
{ {
Modification *mod; Modification *mod;
struct sockinfo *si = (struct sockinfo *) op->o_bd->be_private; struct sockinfo *si = (struct sockinfo *) op->o_bd->be_private;
AttributeDescription *entry = slap_schema.si_ad_entry;
Modifications *ml = op->orm_modlist; Modifications *ml = op->orm_modlist;
Entry e; Entry e;
FILE *fp; FILE *fp;
int i; int i;
AclCheck ak = { &e, slap_schema.si_ad_entry, NULL, ACL_WRITE, NULL };
e.e_id = NOID; e.e_id = NOID;
e.e_name = op->o_req_dn; e.e_name = op->o_req_dn;
...@@ -50,8 +50,7 @@ sock_back_modify( ...@@ -50,8 +50,7 @@ sock_back_modify(
e.e_bv.bv_val = NULL; e.e_bv.bv_val = NULL;
e.e_private = NULL; e.e_private = NULL;
if ( ! access_allowed( op, &e, if ( ! access_allowed( op, &ak ))
entry, NULL, ACL_WRITE, NULL ) )
{ {
send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL ); send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
return -1; return -1;
......
...@@ -34,9 +34,9 @@ sock_back_modrdn( ...@@ -34,9 +34,9 @@ sock_back_modrdn(
SlapReply *rs ) SlapReply *rs )
{ {
struct sockinfo *si = (struct sockinfo *) op->o_bd->be_private; struct sockinfo *si = (struct sockinfo *) op->o_bd->be_private;
AttributeDescription *entry = slap_schema.si_ad_entry;
Entry e; Entry e;
FILE *fp; FILE *fp;
AclCheck ak = { &e, slap_schema.si_ad_entry, NULL, ACL_WRITE, NULL };
e.e_id = NOID; e.e_id = NOID;
e.e_name = op->o_req_dn; e.e_name = op->o_req_dn;
...@@ -47,9 +47,8 @@ sock_back_modrdn( ...@@ -47,9 +47,8 @@ sock_back_modrdn(
e.e_bv.bv_val = NULL; e.e_bv.bv_val = NULL;
e.e_private = NULL; e.e_private = NULL;
if ( ! access_allowed( op, &e, entry, NULL, if ( op->oq_modrdn.rs_newSup ) ak.ak_access = ACL_WDEL;
op->oq_modrdn.rs_newSup ? ACL_WDEL : ACL_WRITE, if ( ! access_allowed( op, &ak ))
NULL ) )
{ {
send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL ); send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
return -1; return -1;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment