mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-12-29 11:09:34 -05:00
global ACLs were not used because op->o_bd is set to &backends[0] if NULL
This commit is contained in:
Pierangelo Masarati
parent
3c5f305a7f
commit
537a4cae02
1 changed files with 20 additions and 12 deletions
|
|
@ -132,6 +132,10 @@ static int aci_match_set ( struct berval *subj, Operation *op,
|
|||
* returns:
|
||||
* 0 access denied
|
||||
* 1 access granted
|
||||
*
|
||||
* Notes:
|
||||
* - can be legally called with op == NULL
|
||||
* - can be legally called with op->o_bd == NULL
|
||||
*/
|
||||
|
||||
int
|
||||
|
|
@ -147,8 +151,7 @@ access_allowed_mask(
|
|||
int ret = 1;
|
||||
int count;
|
||||
AccessControl *a = NULL;
|
||||
Backend *be;
|
||||
int be_null = 0;
|
||||
Backend *be, *old_be;
|
||||
|
||||
#ifdef LDAP_DEBUG
|
||||
char accessmaskbuf[ACCESSMASK_MAXLEN];
|
||||
|
|
@ -211,10 +214,15 @@ access_allowed_mask(
|
|||
goto done;
|
||||
}
|
||||
|
||||
be = op->o_bd;
|
||||
be = old_be = op->o_bd;
|
||||
if ( be == NULL ) {
|
||||
/*
|
||||
* FIXME: is this needed by slapi only? We might find
|
||||
* a better way to pass the appropriate information
|
||||
* that is relevant at this stage, e.g. a fake BackendDB
|
||||
* with global info
|
||||
*/
|
||||
be = &backends[0];
|
||||
be_null = 1;
|
||||
op->o_bd = be;
|
||||
}
|
||||
assert( be != NULL );
|
||||
|
|
@ -228,9 +236,10 @@ access_allowed_mask(
|
|||
}
|
||||
}
|
||||
#endif /* LDAP_SLAPI */
|
||||
op->o_bd = old_be;
|
||||
|
||||
/* grant database root access */
|
||||
if ( be != NULL && be_isroot( op ) ) {
|
||||
if ( old_be && be_isroot( op ) ) {
|
||||
#ifdef NEW_LOGGING
|
||||
LDAP_LOG( ACL, INFO,
|
||||
"access_allowed: conn %lu root access granted\n",
|
||||
|
|
@ -269,27 +278,27 @@ access_allowed_mask(
|
|||
}
|
||||
|
||||
/* use backend default access if no backend acls */
|
||||
if( be != NULL && be->be_acl == NULL ) {
|
||||
if( old_be != NULL && old_be->be_acl == NULL ) {
|
||||
#ifdef NEW_LOGGING
|
||||
LDAP_LOG( ACL, DETAIL1,
|
||||
"access_allowed: backend default %s access %s to \"%s\"\n",
|
||||
access2str( access ),
|
||||
be->be_dfltaccess >= access ? "granted" : "denied",
|
||||
old_be->be_dfltaccess >= access ? "granted" : "denied",
|
||||
op->o_dn.bv_val ? op->o_dn.bv_val : "(anonymous)" );
|
||||
#else
|
||||
Debug( LDAP_DEBUG_ACL,
|
||||
"=> access_allowed: backend default %s access %s to \"%s\"\n",
|
||||
access2str( access ),
|
||||
be->be_dfltaccess >= access ? "granted" : "denied",
|
||||
old_be->be_dfltaccess >= access ? "granted" : "denied",
|
||||
op->o_dn.bv_val ? op->o_dn.bv_val : "(anonymous)" );
|
||||
#endif
|
||||
ret = be->be_dfltaccess >= access;
|
||||
ret = old_be->be_dfltaccess >= access;
|
||||
|
||||
if ( maskp ) {
|
||||
int i;
|
||||
|
||||
mask = ACL_PRIV_LEVEL;
|
||||
for ( i = ACL_NONE; i <= be->be_dfltaccess; i++ ) {
|
||||
for ( i = ACL_NONE; i <= old_be->be_dfltaccess; i++ ) {
|
||||
mask |= ACL_ACCESS2PRIV( i );
|
||||
}
|
||||
}
|
||||
|
|
@ -299,7 +308,7 @@ access_allowed_mask(
|
|||
#ifdef notdef
|
||||
/* be is always non-NULL */
|
||||
/* use global default access if no global acls */
|
||||
} else if ( be == NULL && global_acl == NULL ) {
|
||||
} else if ( old_be == NULL && global_acl == NULL ) {
|
||||
#ifdef NEW_LOGGING
|
||||
LDAP_LOG( ACL, DETAIL1,
|
||||
"access_allowed: global default %s access %s to \"%s\"\n",
|
||||
|
|
@ -445,7 +454,6 @@ done:
|
|||
}
|
||||
state->as_recorded |= ACL_STATE_RECORDED;
|
||||
}
|
||||
if (be_null) op->o_bd = NULL;
|
||||
if ( maskp ) *maskp = mask;
|
||||
return ret;
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue