Require compare (not read) access to entry attr for compare ops

2025-12-26 01:29:59 -05:00 · 2007-12-27 00:51:45 +00:00 · 2007-12-27 00:51:45 +00:00 · b0a0ac4914
commit b0a0ac4914
parent 64f81ee43b
2 changed files with 2 additions and 5 deletions
--- a/doc/man/man5/slapd-sock.5
+++ b/doc/man/man5/slapd-sock.5
@ -186,11 +186,8 @@ to the underlying program.
 The
 .B compare
 operation requires 
-.B read (=r)
-access (FIXME: wouldn't 
 .B compare (=c)
-be a more appropriate choice?)
-to the 
+access to the 
 .B entry
 pseudo-attribute
 of the object whose value is being asserted;
--- a/servers/slapd/back-sock/compare.c
+++ b/servers/slapd/back-sock/compare.c
@ -48,7 +48,7 @@ sock_back_compare(
 	e.e_private = NULL;

 	if ( ! access_allowed( op, &e,
-		entry, NULL, ACL_READ, NULL ) )
+		entry, NULL, ACL_COMPARE, NULL ) )
 	{
 		send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS, NULL );
 		return -1;