ITS#2757 from HEAD remove be_isroot checks

2025-01-18 11:05:48 +08:00 · 2005-09-28 15:40:52 +00:00 · 2005-09-28 15:40:52 +00:00 · 53bc67c195
commit 53bc67c195
parent bd7d3d977d
1 changed files with 73 additions and 134 deletions
--- a/servers/slapd/back-bdb/modrdn.c
+++ b/servers/slapd/back-bdb/modrdn.c
@ -30,7 +30,6 @@ bdb_modrdn( Operation	*op, SlapReply *rs )
 	AttributeDescription *entry = slap_schema.si_ad_entry;
 	struct berval	p_dn, p_ndn;
 	struct berval	new_dn = {0, NULL}, new_ndn = {0, NULL};
-	int		isroot = -1;
 	Entry		*e = NULL;
 	Entry		*p = NULL;
 	EntryInfo	*ei = NULL, *eip = NULL, *nei = NULL, *neip = NULL;
@ -278,7 +277,15 @@ retry:	/* transaction retry */
 	}

 	if ( be_issuffix( op->o_bd, &e->e_nname ) ) {
+#ifdef BDB_MULTIPLE_SUFFIXES
+		/* Allow renaming one suffix entry to another */
 		p_ndn = slap_empty_bv;
+#else
+		/* There can only be one suffix entry */
+		rs->sr_err = LDAP_NAMING_VIOLATION;
+		rs->sr_text = "cannot rename suffix entry";
+		goto return_results;
+#endif
 	} else {
 		dnParent( &e->e_nname, &p_ndn );
 	}
@ -315,95 +322,45 @@ retry:	/* transaction retry */
 			rs->sr_text = "old entry's parent does not exist";
 			goto return_results;
 		}
-
-		/* check parent for "children" acl */
-		rs->sr_err = access_allowed( op, p,
-			children, NULL, ACL_WRITE, NULL );
-
-		if ( ! rs->sr_err ) {
-			switch( opinfo.boi_err ) {
-			case DB_LOCK_DEADLOCK:
-			case DB_LOCK_NOTGRANTED:
-				goto retry;
-			}
-
-			rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
-			Debug( LDAP_DEBUG_TRACE, "no access to parent\n", 0,
-				0, 0 );
-			rs->sr_text = "no write access to old parent's children";
-			goto return_results;
-		}
-
-		Debug( LDAP_DEBUG_TRACE,
-			LDAP_XSTRING(bdb_modrdn) ": wr to children "
-			"of entry %s OK\n", p_ndn.bv_val, 0, 0 );
-		
-		if ( p_ndn.bv_val == slap_empty_bv.bv_val ) {
-			p_dn = slap_empty_bv;
-		} else {
-			dnParent( &e->e_name, &p_dn );
-		}
-
-		Debug( LDAP_DEBUG_TRACE,
-			LDAP_XSTRING(bdb_modrdn) ": parent dn=%s\n",
-			p_dn.bv_val, 0, 0 );
-
 	} else {
-		/* no parent, modrdn entry directly under root */
-		isroot = be_isroot( op );
-		if ( ! isroot ) {
-			if ( be_issuffix( op->o_bd, (struct berval *)&slap_empty_bv )
-				|| be_shadow_update( op ) ) {
-
-				p = (Entry *)&slap_entry_root;
-
-				/* check parent for "children" acl */
-				rs->sr_err = access_allowed( op, p,
-					children, NULL, ACL_WRITE, NULL );
-
-				p = NULL;
-
-				if ( ! rs->sr_err ) {
-					switch( opinfo.boi_err ) {
-					case DB_LOCK_DEADLOCK:
-					case DB_LOCK_NOTGRANTED:
-						goto retry;
-					}
-
-					rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
-					Debug( LDAP_DEBUG_TRACE, 
-						"no access to parent\n", 
-						0, 0, 0 );
-					rs->sr_text = "no write access to old parent";
-					goto return_results;
-				}
-
-				Debug( LDAP_DEBUG_TRACE,
-					LDAP_XSTRING(bdb_modrdn)
-					": wr to children of entry \"\" OK\n",
-					0, 0, 0 );
-		
-				p_dn.bv_val = "";
-				p_dn.bv_len = 0;
-
-				Debug( LDAP_DEBUG_TRACE,
-					LDAP_XSTRING(bdb_modrdn)
-					": parent dn=\"\"\n",
-					0, 0, 0 );
-
-			} else {
-				Debug( LDAP_DEBUG_TRACE,
-					LDAP_XSTRING(bdb_modrdn)
-					": no parent, not root "
-					"& \"\" is not suffix\n",
-					0, 0, 0);
-				rs->sr_text = "no write access to old parent";
-				rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
-				goto return_results;
-			}
-		}
+		p = (Entry *)&slap_entry_root;
 	}

+	/* check parent for "children" acl */
+	rs->sr_err = access_allowed( op, p,
+		children, NULL, ACL_WRITE, NULL );
+
+	if ( !p_ndn.bv_len )
+		p = NULL;
+
+	if ( ! rs->sr_err ) {
+		switch( opinfo.boi_err ) {
+		case DB_LOCK_DEADLOCK:
+		case DB_LOCK_NOTGRANTED:
+			goto retry;
+		}
+
+		rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
+		Debug( LDAP_DEBUG_TRACE, "no access to parent\n", 0,
+			0, 0 );
+		rs->sr_text = "no write access to old parent's children";
+		goto return_results;
+	}
+
+	Debug( LDAP_DEBUG_TRACE,
+		LDAP_XSTRING(bdb_modrdn) ": wr to children "
+		"of entry %s OK\n", p_ndn.bv_val, 0, 0 );
+	
+	if ( p_ndn.bv_val == slap_empty_bv.bv_val ) {
+		p_dn = slap_empty_bv;
+	} else {
+		dnParent( &e->e_name, &p_dn );
+	}
+
+	Debug( LDAP_DEBUG_TRACE,
+		LDAP_XSTRING(bdb_modrdn) ": parent dn=%s\n",
+		p_dn.bv_val, 0, 0 );
+
 	new_parent_dn = &p_dn;	/* New Parent unless newSuperior given */

 	if ( op->oq_modrdn.rs_newSup != NULL ) {
@ -421,6 +378,15 @@ retry:	/* transaction retry */
 		}
 	}

+	/* There's a BDB_MULTIPLE_SUFFIXES case here that this code doesn't
+	 * support. E.g., two suffixes dc=foo,dc=com and dc=bar,dc=net.
+	 * We do not allow modDN
+	 *   dc=foo,dc=com
+	 *    newrdn dc=bar
+	 *    newsup dc=net
+	 * and we probably should. But since MULTIPLE_SUFFIXES is deprecated
+	 * I'm ignoring this problem for now.
+	 */
 	if ( op->oq_modrdn.rs_newSup != NULL ) {
 		if ( op->oq_modrdn.rs_newSup->bv_len ) {
 			np_dn = op->oq_modrdn.rs_newSup;
@ -429,8 +395,8 @@ retry:	/* transaction retry */
 			/* newSuperior == oldParent? - checked above */
 			/* newSuperior == entry being moved?, if so ==> ERROR */
 			if ( dnIsSuffix( np_ndn, &e->e_nname )) {
-				rs->sr_err = LDAP_NAMING_VIOLATION;
-				rs->sr_text = "new superior is invalid";
+				rs->sr_err = LDAP_NO_SUCH_OBJECT;
+				rs->sr_text = "new superior not found";
 				goto return_results;
 			}
 			/* Get Entry with dn=newSuperior. Does newSuperior exist? */
@ -460,7 +426,7 @@ retry:	/* transaction retry */
 					": newSup(ndn=%s) not here!\n",
 					np_ndn->bv_val, 0, 0);
 				rs->sr_text = "new superior not found";
-				rs->sr_err = LDAP_OTHER;
+				rs->sr_err = LDAP_NO_SUCH_OBJECT;
 				goto return_results;
 			}

@ -512,62 +478,35 @@ retry:	/* transaction retry */
 			}

 		} else {
-			if ( isroot == -1 ) {
-				isroot = be_isroot( op );
-			}
-			
 			np_dn = NULL;

 			/* no parent, modrdn entry directly under root */
-			if ( ! isroot ) {
-				if ( be_issuffix( op->o_bd, (struct berval *)&slap_empty_bv )
-					|| be_isupdate( op ) ) {
-					np = (Entry *)&slap_entry_root;
+			if ( be_issuffix( op->o_bd, (struct berval *)&slap_empty_bv )
+				|| be_isupdate( op ) ) {
+				np = (Entry *)&slap_entry_root;

-					/* check parent for "children" acl */
-					rs->sr_err = access_allowed( op, np,
-						children, NULL, ACL_WRITE, NULL );
+				/* check parent for "children" acl */
+				rs->sr_err = access_allowed( op, np,
+					children, NULL, ACL_WRITE, NULL );

-					np = NULL;
+				np = NULL;

-					if ( ! rs->sr_err ) {
-						switch( opinfo.boi_err ) {
-						case DB_LOCK_DEADLOCK:
-						case DB_LOCK_NOTGRANTED:
-							goto retry;
-						}
-
-						rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
-						Debug( LDAP_DEBUG_TRACE, 
-							"no access to new superior\n", 
-							0, 0, 0 );
-						rs->sr_text =
-							"no write access to new superior's children";
-						goto return_results;
+				if ( ! rs->sr_err ) {
+					switch( opinfo.boi_err ) {
+					case DB_LOCK_DEADLOCK:
+					case DB_LOCK_NOTGRANTED:
+						goto retry;
 					}

-					Debug( LDAP_DEBUG_TRACE,
-						LDAP_XSTRING(bdb_modrdn)
-						": wr to children "
-						"of entry \"\" OK\n",
-						0, 0, 0 );
-		
-				} else {
-					Debug( LDAP_DEBUG_TRACE,
-						LDAP_XSTRING(bdb_modrdn)
-						": new superior=\"\", not root "
-						"& \"\" is not suffix\n",
-						0, 0, 0 );
-					rs->sr_text = "no write access to new superior's children";
 					rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
+					Debug( LDAP_DEBUG_TRACE, 
+						"no access to new superior\n", 
+						0, 0, 0 );
+					rs->sr_text =
+						"no write access to new superior's children";
 					goto return_results;
 				}
 			}
-
-			Debug( LDAP_DEBUG_TRACE,
-				LDAP_XSTRING(bdb_modrdn)
-				": new superior=\"\"\n",
-				0, 0, 0 );
 		}

 		Debug( LDAP_DEBUG_TRACE,