mirror of
https://git.openldap.org/openldap/openldap.git
synced 2026-01-16 11:57:39 -05:00
more on manage access level
This commit is contained in:
Pierangelo Masarati
parent
add1add854
commit
ef7421b87d
4 changed files with 89 additions and 58 deletions
|
|
@ -192,8 +192,12 @@ slap_access_allowed(
|
|||
* no-user-modification operational attributes are ignored
|
||||
* by ACL_WRITE checking as any found here are not provided
|
||||
* by the user
|
||||
*
|
||||
* NOTE: but they are not ignored for ACL_MANAGE, because
|
||||
* if we get here it means a non-root user is trying to
|
||||
* manage data, so we need to check its privileges.
|
||||
*/
|
||||
if ( access_level >= ACL_WRITE && is_at_no_user_mod( desc->ad_type )
|
||||
if ( access_level == ACL_WRITE && is_at_no_user_mod( desc->ad_type )
|
||||
&& desc != slap_schema.si_ad_entry
|
||||
&& desc != slap_schema.si_ad_children )
|
||||
{
|
||||
|
|
@ -384,10 +388,17 @@ access_allowed_mask(
|
|||
|
||||
assert( attr != NULL );
|
||||
|
||||
if ( op && op->o_is_auth_check &&
|
||||
( access_level == ACL_SEARCH || access_level == ACL_READ ) )
|
||||
{
|
||||
access = ACL_AUTH;
|
||||
if ( op ) {
|
||||
if ( op->o_is_auth_check &&
|
||||
( access_level == ACL_SEARCH || access_level == ACL_READ ) )
|
||||
{
|
||||
access = ACL_AUTH;
|
||||
|
||||
} else if ( get_manageDIT( op ) && access_level == ACL_WRITE &&
|
||||
desc == slap_schema.si_ad_entry )
|
||||
{
|
||||
access = ACL_MANAGE;
|
||||
}
|
||||
}
|
||||
|
||||
if ( state ) {
|
||||
|
|
@ -528,10 +539,17 @@ access_allowed_mask(
|
|||
|
||||
assert( attr != NULL );
|
||||
|
||||
if ( op && op->o_is_auth_check &&
|
||||
( access_level == ACL_SEARCH || access_level == ACL_READ ) )
|
||||
{
|
||||
access = ACL_AUTH;
|
||||
if ( op ) {
|
||||
if ( op->o_is_auth_check &&
|
||||
( access_level == ACL_SEARCH || access_level == ACL_READ ) )
|
||||
{
|
||||
access = ACL_AUTH;
|
||||
|
||||
} else if ( get_manageDIT( op ) && access_level == ACL_WRITE &&
|
||||
desc == slap_schema.si_ad_entry )
|
||||
{
|
||||
access = ACL_MANAGE;
|
||||
}
|
||||
}
|
||||
|
||||
if ( state ) {
|
||||
|
|
@ -595,8 +613,12 @@ access_allowed_mask(
|
|||
* no-user-modification operational attributes are ignored
|
||||
* by ACL_WRITE checking as any found here are not provided
|
||||
* by the user
|
||||
*
|
||||
* NOTE: but they are not ignored for ACL_MANAGE, because
|
||||
* if we get here it means a non-root user is trying to
|
||||
* manage data, so we need to check its privileges.
|
||||
*/
|
||||
if ( access_level >= ACL_WRITE && is_at_no_user_mod( desc->ad_type )
|
||||
if ( access_level == ACL_WRITE && is_at_no_user_mod( desc->ad_type )
|
||||
&& desc != slap_schema.si_ad_entry
|
||||
&& desc != slap_schema.si_ad_children )
|
||||
{
|
||||
|
|
@ -2237,8 +2259,7 @@ int
|
|||
acl_check_modlist(
|
||||
Operation *op,
|
||||
Entry *e,
|
||||
Modifications *mlist
|
||||
)
|
||||
Modifications *mlist )
|
||||
{
|
||||
struct berval *bv;
|
||||
AccessControlState state = ACL_STATE_INIT;
|
||||
|
|
@ -2307,7 +2328,9 @@ acl_check_modlist(
|
|||
* This prevents abuse from selfwriters.
|
||||
*/
|
||||
if ( ! access_allowed( op, e,
|
||||
mlist->sml_desc, NULL, ACL_WDEL, &state ) )
|
||||
mlist->sml_desc, NULL,
|
||||
mlist->sml_managing ? ACL_MANAGE : ACL_WDEL,
|
||||
&state ) )
|
||||
{
|
||||
ret = 0;
|
||||
goto done;
|
||||
|
|
@ -2325,7 +2348,9 @@ acl_check_modlist(
|
|||
bv->bv_val != NULL; bv++ )
|
||||
{
|
||||
if ( ! access_allowed( op, e,
|
||||
mlist->sml_desc, bv, ACL_WADD, &state ) )
|
||||
mlist->sml_desc, bv,
|
||||
mlist->sml_managing ? ACL_MANAGE : ACL_WADD,
|
||||
&state ) )
|
||||
{
|
||||
ret = 0;
|
||||
goto done;
|
||||
|
|
@ -2336,7 +2361,9 @@ acl_check_modlist(
|
|||
case LDAP_MOD_DELETE:
|
||||
if ( mlist->sml_values == NULL ) {
|
||||
if ( ! access_allowed( op, e,
|
||||
mlist->sml_desc, NULL, ACL_WDEL, NULL ) )
|
||||
mlist->sml_desc, NULL,
|
||||
mlist->sml_managing ? ACL_MANAGE : ACL_WDEL,
|
||||
NULL ) )
|
||||
{
|
||||
ret = 0;
|
||||
goto done;
|
||||
|
|
@ -2348,7 +2375,9 @@ acl_check_modlist(
|
|||
bv->bv_val != NULL; bv++ )
|
||||
{
|
||||
if ( ! access_allowed( op, e,
|
||||
mlist->sml_desc, bv, ACL_WDEL, &state ) )
|
||||
mlist->sml_desc, bv,
|
||||
mlist->sml_managing ? ACL_MANAGE : ACL_WDEL,
|
||||
&state ) )
|
||||
{
|
||||
ret = 0;
|
||||
goto done;
|
||||
|
|
|
|||
|
|
@ -110,6 +110,7 @@ do_add( Operation *op, SlapReply *rs )
|
|||
}
|
||||
|
||||
mod = (Modifications *) ch_malloc( sizeof(Modifications) );
|
||||
mod->sml_managing = 0;
|
||||
mod->sml_op = LDAP_MOD_ADD;
|
||||
mod->sml_flags = 0;
|
||||
mod->sml_next = NULL;
|
||||
|
|
@ -577,6 +578,7 @@ slap_entry2mods(
|
|||
while ( a_new != NULL ) {
|
||||
a_new_desc = a_new->a_desc;
|
||||
mod = (Modifications *) malloc( sizeof( Modifications ));
|
||||
mod->sml_managing = 0;
|
||||
|
||||
mod->sml_op = LDAP_MOD_REPLACE;
|
||||
mod->sml_flags = 0;
|
||||
|
|
|
|||
|
|
@ -835,11 +835,14 @@ backend_check_controls(
|
|||
}
|
||||
}
|
||||
|
||||
/* temporarily removed */
|
||||
#if 0
|
||||
/* check should be generalized */
|
||||
if( get_manageDIT(op) && !be_isroot(op)) {
|
||||
rs->sr_text = "requires manager authorization";
|
||||
rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
|
||||
}
|
||||
#endif
|
||||
|
||||
done:;
|
||||
return rs->sr_err;
|
||||
|
|
|
|||
|
|
@ -106,6 +106,7 @@ do_modify(
|
|||
mod->sml_values = tmp.sml_values;
|
||||
mod->sml_nvalues = NULL;
|
||||
mod->sml_desc = NULL;
|
||||
mod->sml_managing = 0;
|
||||
mod->sml_next = NULL;
|
||||
*modtail = mod;
|
||||
|
||||
|
|
@ -140,7 +141,7 @@ do_modify(
|
|||
goto cleanup;
|
||||
}
|
||||
|
||||
if( mod->sml_values[1].bv_val ) {
|
||||
if ( !BER_BVISNULL( &mod->sml_values[ 1 ] ) ) {
|
||||
Debug( LDAP_DEBUG_ANY, "do_modify: modify/increment "
|
||||
"operation (%ld) requires single value\n",
|
||||
(long) mop, 0, 0 );
|
||||
|
|
@ -251,10 +252,10 @@ fe_op_modify( Operation *op, SlapReply *rs )
|
|||
if ( tmp->sml_values == NULL ) {
|
||||
Debug( LDAP_DEBUG_ARGS, "%s\n",
|
||||
"\t\tno values", NULL, NULL );
|
||||
} else if ( tmp->sml_values[0].bv_val == NULL ) {
|
||||
} else if ( BER_BVISNULL( &tmp->sml_values[ 0 ] ) ) {
|
||||
Debug( LDAP_DEBUG_ARGS, "%s\n",
|
||||
"\t\tzero values", NULL, NULL );
|
||||
} else if ( tmp->sml_values[1].bv_val == NULL ) {
|
||||
} else if ( BER_BVISNULL( &tmp->sml_values[ 1 ] ) ) {
|
||||
Debug( LDAP_DEBUG_ARGS, "%s, length %ld\n",
|
||||
"\t\tone value", (long) tmp->sml_values[0].bv_len, NULL );
|
||||
} else {
|
||||
|
|
@ -883,22 +884,21 @@ int slap_mods_opattrs(
|
|||
if( rc != LDAP_SUCCESS ) return rc;
|
||||
|
||||
mod = (Modifications *) ch_malloc( sizeof( Modifications ) );
|
||||
mod->sml_managing = 0;
|
||||
mod->sml_op = mop;
|
||||
mod->sml_flags = SLAP_MOD_INTERNAL;
|
||||
mod->sml_type.bv_val = NULL;
|
||||
BER_BVZERO( &mod->sml_type );
|
||||
mod->sml_desc = slap_schema.si_ad_structuralObjectClass;
|
||||
mod->sml_values =
|
||||
(BerVarray) ch_malloc( 2 * sizeof( struct berval ) );
|
||||
ber_dupbv( &mod->sml_values[0], &tmpval );
|
||||
mod->sml_values[1].bv_len = 0;
|
||||
mod->sml_values[1].bv_val = NULL;
|
||||
assert( mod->sml_values[0].bv_val != NULL );
|
||||
BER_BVZERO( &mod->sml_values[1] );
|
||||
assert( !BER_BVISNULL( &mod->sml_values[0] ) );
|
||||
mod->sml_nvalues =
|
||||
(BerVarray) ch_malloc( 2 * sizeof( struct berval ) );
|
||||
ber_dupbv( &mod->sml_nvalues[0], &tmpval );
|
||||
mod->sml_nvalues[1].bv_len = 0;
|
||||
mod->sml_nvalues[1].bv_val = NULL;
|
||||
assert( mod->sml_nvalues[0].bv_val != NULL );
|
||||
BER_BVZERO( &mod->sml_nvalues[1] );
|
||||
assert( !BER_BVISNULL( &mod->sml_nvalues[0] ) );
|
||||
*modtail = mod;
|
||||
modtail = &mod->sml_next;
|
||||
}
|
||||
|
|
@ -920,16 +920,16 @@ int slap_mods_opattrs(
|
|||
tmpval.bv_val = uuidbuf;
|
||||
|
||||
mod = (Modifications *) ch_malloc( sizeof( Modifications ) );
|
||||
mod->sml_managing = 0;
|
||||
mod->sml_op = mop;
|
||||
mod->sml_flags = SLAP_MOD_INTERNAL;
|
||||
mod->sml_type.bv_val = NULL;
|
||||
BER_BVZERO( &mod->sml_type );
|
||||
mod->sml_desc = slap_schema.si_ad_entryUUID;
|
||||
mod->sml_values =
|
||||
(BerVarray) ch_malloc( 2 * sizeof( struct berval ) );
|
||||
ber_dupbv( &mod->sml_values[0], &tmpval );
|
||||
mod->sml_values[1].bv_len = 0;
|
||||
mod->sml_values[1].bv_val = NULL;
|
||||
assert( mod->sml_values[0].bv_val != NULL );
|
||||
BER_BVZERO( &mod->sml_values[1] );
|
||||
assert( !BER_BVISNULL( &mod->sml_values[0] ) );
|
||||
mod->sml_nvalues =
|
||||
(BerVarray) ch_malloc( 2 * sizeof( struct berval ) );
|
||||
(*mod->sml_desc->ad_type->sat_equality->smr_normalize)(
|
||||
|
|
@ -937,8 +937,7 @@ int slap_mods_opattrs(
|
|||
mod->sml_desc->ad_type->sat_syntax,
|
||||
mod->sml_desc->ad_type->sat_equality,
|
||||
mod->sml_values, mod->sml_nvalues, NULL );
|
||||
mod->sml_nvalues[1].bv_len = 0;
|
||||
mod->sml_nvalues[1].bv_val = NULL;
|
||||
BER_BVZERO( &mod->sml_nvalues[1] );
|
||||
*modtail = mod;
|
||||
modtail = &mod->sml_next;
|
||||
}
|
||||
|
|
@ -954,22 +953,21 @@ int slap_mods_opattrs(
|
|||
|
||||
if ( mod == *modtail ) {
|
||||
mod = (Modifications *) ch_malloc( sizeof( Modifications ) );
|
||||
mod->sml_managing = 0;
|
||||
mod->sml_op = mop;
|
||||
mod->sml_flags = SLAP_MOD_INTERNAL;
|
||||
mod->sml_type.bv_val = NULL;
|
||||
BER_BVZERO( &mod->sml_type );
|
||||
mod->sml_desc = slap_schema.si_ad_creatorsName;
|
||||
mod->sml_values =
|
||||
(BerVarray) ch_malloc( 2 * sizeof( struct berval ) );
|
||||
ber_dupbv( &mod->sml_values[0], &name );
|
||||
mod->sml_values[1].bv_len = 0;
|
||||
mod->sml_values[1].bv_val = NULL;
|
||||
assert( mod->sml_values[0].bv_val != NULL );
|
||||
BER_BVZERO( &mod->sml_values[1] );
|
||||
assert( !BER_BVISNULL( &mod->sml_values[0] ) );
|
||||
mod->sml_nvalues =
|
||||
(BerVarray) ch_malloc( 2 * sizeof( struct berval ) );
|
||||
ber_dupbv( &mod->sml_nvalues[0], &nname );
|
||||
mod->sml_nvalues[1].bv_len = 0;
|
||||
mod->sml_nvalues[1].bv_val = NULL;
|
||||
assert( mod->sml_nvalues[0].bv_val != NULL );
|
||||
BER_BVZERO( &mod->sml_nvalues[1] );
|
||||
assert( !BER_BVISNULL( &mod->sml_nvalues[0] ) );
|
||||
*modtail = mod;
|
||||
modtail = &mod->sml_next;
|
||||
}
|
||||
|
|
@ -985,16 +983,16 @@ int slap_mods_opattrs(
|
|||
|
||||
if ( mod == *modtail ) {
|
||||
mod = (Modifications *) ch_malloc( sizeof( Modifications ) );
|
||||
mod->sml_managing = 0;
|
||||
mod->sml_op = mop;
|
||||
mod->sml_flags = SLAP_MOD_INTERNAL;
|
||||
mod->sml_type.bv_val = NULL;
|
||||
BER_BVZERO( &mod->sml_type );
|
||||
mod->sml_desc = slap_schema.si_ad_createTimestamp;
|
||||
mod->sml_values =
|
||||
(BerVarray) ch_malloc( 2 * sizeof( struct berval ) );
|
||||
ber_dupbv( &mod->sml_values[0], ×tamp );
|
||||
mod->sml_values[1].bv_len = 0;
|
||||
mod->sml_values[1].bv_val = NULL;
|
||||
assert( mod->sml_values[0].bv_val != NULL );
|
||||
BER_BVZERO( &mod->sml_values[1] );
|
||||
assert( !BER_BVISNULL( &mod->sml_values[0] ) );
|
||||
mod->sml_nvalues = NULL;
|
||||
*modtail = mod;
|
||||
modtail = &mod->sml_next;
|
||||
|
|
@ -1004,15 +1002,15 @@ int slap_mods_opattrs(
|
|||
|
||||
if ( SLAP_LASTMOD( op->o_bd ) ) {
|
||||
mod = (Modifications *) ch_malloc( sizeof( Modifications ) );
|
||||
mod->sml_managing = 0;
|
||||
mod->sml_op = mop;
|
||||
mod->sml_flags = SLAP_MOD_INTERNAL;
|
||||
mod->sml_type.bv_val = NULL;
|
||||
BER_BVZERO( &mod->sml_type );
|
||||
mod->sml_desc = slap_schema.si_ad_entryCSN;
|
||||
mod->sml_values = (BerVarray) ch_malloc( 2 * sizeof( struct berval ) );
|
||||
ber_dupbv( &mod->sml_values[0], &csn );
|
||||
mod->sml_values[1].bv_len = 0;
|
||||
mod->sml_values[1].bv_val = NULL;
|
||||
assert( mod->sml_values[0].bv_val != NULL );
|
||||
BER_BVZERO( &mod->sml_values[1] );
|
||||
assert( !BER_BVISNULL( &mod->sml_values[0] ) );
|
||||
mod->sml_nvalues = NULL;
|
||||
*modtail = mod;
|
||||
modtail = &mod->sml_next;
|
||||
|
|
@ -1028,21 +1026,20 @@ int slap_mods_opattrs(
|
|||
|
||||
if ( mod == *modtail ) {
|
||||
mod = (Modifications *) ch_malloc( sizeof( Modifications ) );
|
||||
mod->sml_managing = 0;
|
||||
mod->sml_op = mop;
|
||||
mod->sml_flags = SLAP_MOD_INTERNAL;
|
||||
mod->sml_type.bv_val = NULL;
|
||||
BER_BVZERO( &mod->sml_type );
|
||||
mod->sml_desc = slap_schema.si_ad_modifiersName;
|
||||
mod->sml_values = (BerVarray) ch_malloc( 2 * sizeof( struct berval ) );
|
||||
ber_dupbv( &mod->sml_values[0], &name );
|
||||
mod->sml_values[1].bv_len = 0;
|
||||
mod->sml_values[1].bv_val = NULL;
|
||||
assert( mod->sml_values[0].bv_val != NULL );
|
||||
BER_BVZERO( &mod->sml_values[1] );
|
||||
assert( !BER_BVISNULL( &mod->sml_values[0] ) );
|
||||
mod->sml_nvalues =
|
||||
(BerVarray) ch_malloc( 2 * sizeof( struct berval ) );
|
||||
ber_dupbv( &mod->sml_nvalues[0], &nname );
|
||||
mod->sml_nvalues[1].bv_len = 0;
|
||||
mod->sml_nvalues[1].bv_val = NULL;
|
||||
assert( mod->sml_nvalues[0].bv_val != NULL );
|
||||
BER_BVZERO( &mod->sml_nvalues[1] );
|
||||
assert( !BER_BVISNULL( &mod->sml_nvalues[0] ) );
|
||||
*modtail = mod;
|
||||
modtail = &mod->sml_next;
|
||||
}
|
||||
|
|
@ -1058,15 +1055,15 @@ int slap_mods_opattrs(
|
|||
|
||||
if ( mod == *modtail ) {
|
||||
mod = (Modifications *) ch_malloc( sizeof( Modifications ) );
|
||||
mod->sml_managing = 0;
|
||||
mod->sml_op = mop;
|
||||
mod->sml_flags = SLAP_MOD_INTERNAL;
|
||||
mod->sml_type.bv_val = NULL;
|
||||
BER_BVZERO( &mod->sml_type );
|
||||
mod->sml_desc = slap_schema.si_ad_modifyTimestamp;
|
||||
mod->sml_values = (BerVarray) ch_malloc( 2 * sizeof( struct berval ) );
|
||||
ber_dupbv( &mod->sml_values[0], ×tamp );
|
||||
mod->sml_values[1].bv_len = 0;
|
||||
mod->sml_values[1].bv_val = NULL;
|
||||
assert( mod->sml_values[0].bv_val != NULL );
|
||||
BER_BVZERO( &mod->sml_values[1] );
|
||||
assert( !BER_BVISNULL( &mod->sml_values[0] ) );
|
||||
mod->sml_nvalues = NULL;
|
||||
*modtail = mod;
|
||||
modtail = &mod->sml_next;
|
||||
|
|
|
|||
Loading…
Reference in a new issue