More for ITS#3008

servers/slapd/acl.c

@@ -80,7 +80,8 @@ static AccessControl * acl_get(
 	Operation *op, Entry *e,
 	AttributeDescription *desc,
 	struct berval *val,
-	int nmatches, regmatch_t *matches );
+	int nmatches, regmatch_t *matches,
+	AccessControlState *state );
 
 static slap_control_t acl_mask(
 	AccessControl *ac, slap_mask_t *mask,
@@ -305,10 +306,12 @@ access_allowed(
 		assert( state->as_vd_acl != NULL );
 
 		a = state->as_vd_acl;
-		mask = state->as_vd_acl_mask;
 		count = state->as_vd_acl_count;
-		AC_MEMCPY( matches, state->as_vd_acl_matches, sizeof(matches) );
-		goto vd_access;
+		if ( !ACL_IS_INVALID( state->as_vd_acl_mask )) {
+			mask = state->as_vd_acl_mask;
+			AC_MEMCPY( matches, state->as_vd_acl_matches, sizeof(matches) );
+			goto vd_access;
+		}
 
 	} else {
 		if ( state ) state->as_vi_acl = NULL;
@@ -319,7 +322,7 @@ access_allowed(
 	}
 
 	while((a = acl_get( a, &count, op, e, desc, val,
-		MAXREMATCHES, matches )) != NULL)
+		MAXREMATCHES, matches, state )) != NULL)
 	{
 		int i;
 
@@ -421,6 +424,7 @@ done:
 	return ret;
 }
 
+
 /*
  * acl_get - return the acl applicable to entry e, attribute
  * attr.  the acl returned is suitable for use in subsequent calls to
@@ -436,7 +440,8 @@ acl_get(
 	AttributeDescription *desc,
 	struct berval	*val,
 	int			nmatch,
-	regmatch_t	*matches )
+	regmatch_t	*matches,
+	AccessControlState *state )
 {
 	const char *attr;
 	int dnlen, patlen;
@@ -545,6 +550,16 @@ acl_get(
 			if ( val == NULL ) {
 				continue;
 			}
+
+			if( state && !( state->as_recorded & ACL_STATE_RECORDED_VD )) {
+				state->as_recorded |= ACL_STATE_RECORDED_VD;
+				state->as_vd_acl = a;
+				state->as_vd_acl_count = *count;
+				state->as_vd_access = a->acl_access;
+				state->as_vd_access_count = 1;
+				ACL_INVALIDATE( state->as_vd_acl_mask );
+			}
+
 			if ( a->acl_attrval_style == ACL_STYLE_REGEX ) {
 #ifdef NEW_LOGGING
 				LDAP_LOG( ACL, DETAIL1,