honor disclose and search access of searchBase; fix potential lock issue; honor abandon

2025-02-23 14:09:39 +08:00 · 2005-04-08 23:20:37 +00:00 · 2005-04-08 23:20:37 +00:00 · 64ae69f6df
commit 64ae69f6df
parent 797efdf730
1 changed files with 49 additions and 16 deletions
--- a/servers/slapd/back-monitor/search.c
+++ b/servers/slapd/back-monitor/search.c
@ -56,7 +56,7 @@ monitor_send_children(
 	if ( e_ch == NULL ) {
 		/* no persistent entries? return */
 		if ( e == NULL ) {
-			return( 0 );
+			return LDAP_SUCCESS;
 		}
 	
 	/* volatile entries */
@ -87,6 +87,11 @@ monitor_send_children(
 		mp = ( monitor_entry_t * )e->e_private;

 		monitor_entry_update( op, e );
+
+		if ( op->o_abandon ) {
+			monitor_cache_release( mi, e );
+			return SLAPD_ABANDON;
+		}
 		
 		rc = test_filter( op, e, op->oq_search.rs_filter );
 		if ( rc == LDAP_COMPARE_TRUE ) {
@ -97,9 +102,11 @@ monitor_send_children(
 		}

 		if ( ( mp->mp_children || MONITOR_HAS_VOLATILE_CH( mp ) )
-				&& sub ) {
+				&& sub )
+		{
 			rc = monitor_send_children( op, rs, e, sub );
 			if ( rc ) {
+				monitor_cache_release( mi, e );
 				return( rc );
 			}
 		}
@ -112,7 +119,7 @@ monitor_send_children(
 		e = e_tmp;
 	}
 	
-	return( 0 );
+	return LDAP_SUCCESS;
 }

 int
@ -121,6 +128,7 @@ monitor_back_search( Operation *op, SlapReply *rs )
 	monitor_info_t	*mi = ( monitor_info_t * )op->o_bd->be_private;
 	int		rc = LDAP_SUCCESS;
 	Entry		*e = NULL, *matched = NULL;
+	slap_mask_t	mask;

 	Debug( LDAP_DEBUG_TRACE, "=> monitor_back_search\n", 0, 0, 0 );

@ -130,7 +138,17 @@ monitor_back_search( Operation *op, SlapReply *rs )
 	if ( e == NULL ) {
 		rs->sr_err = LDAP_NO_SUCH_OBJECT;
 		if ( matched ) {
-			rs->sr_matched = matched->e_dn;
+#ifdef SLAP_ACL_HONOR_DISCLOSE
+			if ( !access_allowed_mask( op, matched,
+					slap_schema.si_ad_entry,
+					NULL, ACL_DISCLOSE, NULL, NULL ) )
+			{
+				/* do nothing */ ;
+			} else 
+#endif /* SLAP_ACL_HONOR_DISCLOSE */
+			{
+				rs->sr_matched = matched->e_dn;
+			}
 		}

 		send_ldap_result( op, rs );
@ -139,7 +157,28 @@ monitor_back_search( Operation *op, SlapReply *rs )
 			rs->sr_matched = NULL;
 		}

-		return( 0 );
+		return rs->sr_err;
+	}
+
+	/* NOTE: __NEW__ "search" access is required
+	 * on searchBase object */
+	if ( !access_allowed_mask( op, e, slap_schema.si_ad_entry,
+				NULL, ACL_SEARCH, NULL, &mask ) )
+	{
+		monitor_cache_release( mi, e );
+
+#ifdef SLAP_ACL_HONOR_DISCLOSE
+		if ( !ACL_GRANT( mask, ACL_DISCLOSE ) ) {
+			rs->sr_err = LDAP_NO_SUCH_OBJECT;
+		} else 
+#endif /* SLAP_ACL_HONOR_DISCLOSE */
+		{
+			rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
+		}
+
+		send_ldap_result( op, rs );
+
+		return rs->sr_err;
 	}

 	rs->sr_attrs = op->oq_search.rs_attrs;
@ -159,10 +198,6 @@ monitor_back_search( Operation *op, SlapReply *rs )

 	case LDAP_SCOPE_ONELEVEL:
 		rc = monitor_send_children( op, rs, e, 0 );
-		if ( rc ) {
-			rc = LDAP_OTHER;
-		}
-		
 		break;

 	case LDAP_SCOPE_SUBTREE:
@ -176,17 +211,15 @@ monitor_back_search( Operation *op, SlapReply *rs )
 		}

 		rc = monitor_send_children( op, rs, e, 1 );
-		if ( rc ) {
-			rc = LDAP_OTHER;
-		}
-
 		break;
 	}
-	
+
 	rs->sr_attrs = NULL;
 	rs->sr_err = rc;
-	send_ldap_result( op, rs );
+	if ( rs->sr_err != SLAPD_ABANDON ) {
+		send_ldap_result( op, rs );
+	}

-	return( rc == LDAP_SUCCESS ? 0 : 1 );
+	return rs->sr_err;
 }