upstream/openldap
1
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2026-02-09 22:04:12 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Change replace ACL semantics from U-Mich historical behavior.

Browse source 
U-Mich allows someone with selfwrite to use replace all values
of an attribute with a value containing their DN.  Which, of course,
could than be deleted.  This behavior was carried forward in all
versions of OpenLDAP.

The new semantics separate checks for deleting all existing values
and adding new values.  It is more logical and more inline with
the common use of selfwrite.
This commit is contained in:
Kurt Zeilenga 2002-01-15 16:23:11 +00:00
parent 40542984cd
commit 5e6e27078c
1 changed files with 12 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
servers/slapd/acl.c
View file

@ -1091,16 +1091,20 @@ acl_check_modlist(
switch ( mlist->sml_op ) {
case LDAP_MOD_REPLACE:
if ( mlist->sml_bvalues == NULL ) {
if ( ! access_allowed( be, conn, op, e,
mlist->sml_desc, NULL, ACL_WRITE ) )
{
return( 0 );
}
break;
/*
* We must check both permission to delete the whole
* attribute and permission to add the specific attributes.
* This prevents abuse from selfwriters.
*/
if ( ! access_allowed( be, conn, op, e,
mlist->sml_desc, NULL, ACL_WRITE ) )
{
return( 0 );
}
/* fall thru */
if ( mlist->sml_bvalues == NULL ) break;
/* fall thru to check value to add */
case LDAP_MOD_ADD:
assert( mlist->sml_bvalues != NULL );