added acl check for added/removed rdn attrs

2025-01-30 13:30:57 +08:00 · 2001-07-31 10:02:19 +00:00 · 2001-07-31 10:02:19 +00:00 · d8cb33ebe8
commit d8cb33ebe8
parent 50223981d9
1 changed files with 46 additions and 1 deletions
--- a/servers/slapd/back-ldbm/modrdn.c
+++ b/servers/slapd/back-ldbm/modrdn.c
@ -486,6 +486,7 @@ ldbm_back_modrdn(
 	for ( a_cnt = 0; new_rdn_types[a_cnt]; a_cnt++ ) {
 		int rc;
 		Modifications *mod_tmp;
+		struct berval val;

 		mod_tmp = (Modifications *)ch_malloc( sizeof( Modifications ) );

@ -510,6 +511,28 @@ ldbm_back_modrdn(
 			goto return_results;		
 		}

+		val.bv_val = new_rdn_vals[a_cnt];
+		val.bv_len = strlen( val.bv_val );
+		if ( ! access_allowed( be, conn, op, p, 
+				mod_tmp->sml_desc, &val, ACL_WRITE ) ) {
+#ifdef NEW_LOGGING
+			LDAP_LOG(( "backend", LDAP_LEVEL_INFO,
+				   "ldbm_back_modrdn: access "
+				   "not allowed to attr \"%s\"\n",
+				   new_rdn_types[a_cnt] ));
+#else
+			Debug( LDAP_DEBUG_TRACE,
+				"ldbm_back_modrdn: access not allowed "
+				"to attr \"%s\"\n%s%s",
+				new_rdn_types[a_cnt], "", "" );
+#endif
+			send_ldap_result( conn, op, 
+				LDAP_INSUFFICIENT_ACCESS,
+				NULL, NULL, NULL, NULL );
+
+			goto return_results;
+		}
+
 		mod_tmp->sml_bvalues = (struct berval **)ch_malloc( 2 * sizeof(struct berval *) );
 		mod_tmp->sml_bvalues[0] = ber_bvstrdup( new_rdn_vals[a_cnt] );
 		mod_tmp->sml_bvalues[1] = NULL;
@ -539,10 +562,10 @@ ldbm_back_modrdn(
 		for ( d_cnt = 0; old_rdn_types[d_cnt]; d_cnt++ ) {    
 			int rc;
 			Modifications *mod_tmp;
+			struct berval val;

 			mod_tmp = (Modifications *)ch_malloc( sizeof( Modifications ) );

-
 			mod_tmp->sml_desc = NULL;
 			rc = slap_str2ad( old_rdn_types[d_cnt], 
 					&mod_tmp->sml_desc, &text );
@ -564,6 +587,28 @@ ldbm_back_modrdn(
 				goto return_results;
 			}

+			val.bv_val = old_rdn_vals[a_cnt];
+			val.bv_len = strlen( val.bv_val );
+			if ( ! access_allowed( be, conn, op, p, 
+					mod_tmp->sml_desc, &val, ACL_WRITE ) ) {
+#ifdef NEW_LOGGING
+				LDAP_LOG(( "backend", LDAP_LEVEL_INFO,
+					   "ldbm_back_modrdn: access "
+					   "not allowed to attr \"%s\"\n",
+					   old_rdn_types[a_cnt] ));
+#else
+				Debug( LDAP_DEBUG_TRACE,
+					"ldbm_back_modrdn: access not allowed "
+					"to attr \"%s\"\n%s%s",
+					old_rdn_types[a_cnt], "", "" );
+#endif
+				send_ldap_result( conn, op, 
+					LDAP_INSUFFICIENT_ACCESS,
+					NULL, NULL, NULL, NULL );
+
+				goto return_results;
+			}
+
 			/* Remove old value of rdn as an attribute. */
 			mod_tmp->sml_bvalues = (struct berval **)ch_malloc( 2 * sizeof(struct berval *) );
 			mod_tmp->sml_bvalues[0] = ber_bvstrdup( old_rdn_vals[d_cnt] );