non-root add/delete of entries rooted at '' checks children write permission

This commit is contained in:
Pierangelo Masarati 2001-11-14 16:08:59 +00:00
parent 90a60edef9
commit 8c2ed9c809
2 changed files with 83 additions and 21 deletions

View File

@ -209,25 +209,58 @@ ldbm_back_add(
}
/* no parent, must be adding entry to root */
if ( !be_isroot( be, op->o_ndn ) && !be_issuffix( be, "" ) ) {
if ( !be_isroot( be, op->o_ndn ) ) {
if ( be_issuffix( be, "" ) ) {
static const Entry rootp = { NOID, "", "", NULL, NULL };
p = (Entry *)&rootp;
rc = access_allowed( be, conn, op, p,
children, NULL, ACL_WRITE );
p = NULL;
if ( ! rc ) {
ldap_pvt_thread_mutex_unlock(&li->li_add_mutex);
#ifdef NEW_LOGGING
LDAP_LOG(( "backend", LDAP_LEVEL_ERR,
"ldbm_back_add: No write "
"access to parent (\"\").\n" ));
#else
Debug( LDAP_DEBUG_TRACE,
"no write access to parent\n",
0, 0, 0 );
#endif
send_ldap_result( conn, op,
LDAP_INSUFFICIENT_ACCESS,
NULL,
"no write access to parent",
NULL, NULL );
return -1;
}
} else {
ldap_pvt_thread_mutex_unlock(&li->li_add_mutex);
#ifdef NEW_LOGGING
LDAP_LOG(( "backend", LDAP_LEVEL_ERR,
"ldbm_back_add: %s add denied.\n",
pdn == NULL ? "suffix" : "entry at root" ));
pdn == NULL ? "suffix"
: "entry at root" ));
#else
Debug( LDAP_DEBUG_TRACE, "%s add denied\n",
pdn == NULL ? "suffix" : "entry at root",
0, 0 );
pdn == NULL ? "suffix"
: "entry at root", 0, 0 );
#endif
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
send_ldap_result( conn, op,
LDAP_INSUFFICIENT_ACCESS,
NULL, NULL, NULL, NULL );
return -1;
}
}
/*
* no parent, acquire the root write lock

View File

@ -153,22 +153,51 @@ ldbm_back_delete(
} else {
/* no parent, must be root to delete */
if( ! be_isroot( be, op->o_ndn ) && ! be_issuffix( be, "" ) ) {
if( ! be_isroot( be, op->o_ndn ) ) {
if ( be_issuffix( be, "" ) ) {
static const Entry rootp = { NOID, "", "", NULL, NULL };
p = (Entry *)&rootp;
rc = access_allowed( be, conn, op, p,
children, NULL, ACL_WRITE );
p = NULL;
/* check parent for "children" acl */
if ( ! rc ) {
#ifdef NEW_LOGGING
LDAP_LOG(( "backend", LDAP_LEVEL_ERR,
"ldbm_back_delete: (%s) has no parent & not a root.\n",
dn ));
"ldbm_back_delete: no access "
"to parent of ("")\n" ));
#else
Debug( LDAP_DEBUG_TRACE,
"<=- ldbm_back_delete: no parent & not root\n",
0, 0, 0);
"<=- ldbm_back_delete: no "
"access to parent\n", 0, 0, 0 );
#endif
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
send_ldap_result( conn, op,
LDAP_INSUFFICIENT_ACCESS,
NULL, NULL, NULL, NULL );
goto return_results;
}
} else {
#ifdef NEW_LOGGING
LDAP_LOG(( "backend", LDAP_LEVEL_ERR,
"ldbm_back_delete: (%s) has no "
"parent & not a root.\n", dn ));
#else
Debug( LDAP_DEBUG_TRACE,
"<=- ldbm_back_delete: no parent & "
"not root\n", 0, 0, 0);
#endif
send_ldap_result( conn, op,
LDAP_INSUFFICIENT_ACCESS,
NULL, NULL, NULL, NULL );
goto return_results;
}
}
ldap_pvt_thread_mutex_lock(&li->li_root_mutex);
rootlock = 1;
}