fix self<access> for "users" (ITS#4299)

2025-12-24 00:29:35 -05:00 · 2006-01-04 00:52:07 +00:00 · 2006-01-04 00:52:07 +00:00 · 8c0ad9021a
commit 8c0ad9021a
parent bccb029786
1 changed files with 25 additions and 2 deletions
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@ -951,6 +951,8 @@ static int
 acl_mask_dn(
 	Operation		*op,
 	Entry			*e,
+	AttributeDescription	*desc,
+	struct berval		*val,
 	AccessControl		*a,
 	int			nmatch,
 	regmatch_t		*matches,
@ -978,6 +980,27 @@ acl_mask_dn(
 			return 1;
 		}

+		if ( b->a_self ) {
+			const char *dummy;
+			int rc, match = 0;
+
+			/* must have DN syntax */
+			if ( desc->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName ) return 1;
+
+			/* check if the target is an attribute. */
+			if ( val == NULL ) return 1;
+
+			/* target is attribute, check if the attribute value
+			 * is the op dn.
+			 */
+			rc = value_match( &match, desc,
+				desc->ad_type->sat_equality, 0,
+				val, opndn, &dummy );
+			/* on match error or no match, fail the ACL clause */
+			if ( rc != LDAP_SUCCESS || match != 0 )
+				return 1;
+		}
+
 	} else if ( b->a_style == ACL_STYLE_SELF ) {
 		struct berval	ndn, selfndn;
 		int		level;
@ -1411,7 +1434,7 @@ slap_acl_mask(
 			 * is maintaned in a_dn_pat.
 			 */

-			if ( acl_mask_dn( op, e, a, nmatch, matches,
+			if ( acl_mask_dn( op, e, desc, val, a, nmatch, matches,
 				&b->a_dn, &op->o_ndn ) )
 			{
 				continue;
@ -1442,7 +1465,7 @@ slap_acl_mask(
 				ndn = op->o_ndn;
 			}

-			if ( acl_mask_dn( op, e, a, nmatch, matches,
+			if ( acl_mask_dn( op, e, desc, val, a, nmatch, matches,
 				&b->a_realdn, &ndn ) )
 			{
 				continue;