mirror/openldap
2
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-01-18 11:05:48 +08:00
Code Issues Packages Projects Releases Wiki Activity

Don't exclude no-user-modification attributes from ACL checks

Browse Source 
unless access requested is WRITE.  This allows you to apply
an ACL to limit search/reading of no-user-modification attributes.
Writes, of course, are always prohibited (by do_add, do_modify).
This commit is contained in:
Kurt Zeilenga 2000-01-27 18:35:36 +00:00
parent 9dde98577d
commit df712b8597
1 changed files with 13 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
servers/slapd/acl.c
View File

@ -98,8 +98,12 @@ access_allowed(
return 1;
}
/* no user modify operational attributes are ignored by ACL checking */
if ( oc_check_no_usermod_attr( attr ) ) {
/*
* no-user-modification operational attributes are ignored
* by ACL_WRITE checking as any found here are not provided
* by the user
*/
if ( access >= ACL_WRITE && oc_check_no_usermod_attr( attr ) ) {
Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:"
" %s access granted\n",
attr, 0, 0 );
@ -623,9 +627,14 @@ acl_check_modlist(
}
for ( ; mlist != NULL; mlist = mlist->ml_next ) {
/* the lastmod attributes are ignored by ACL checking */
/*
* no-user-modification operational attributes are ignored
* by ACL_WRITE checking as any found here are not provided
* by the user
*/
if ( oc_check_no_usermod_attr( mlist->ml_type ) ) {
Debug( LDAP_DEBUG_ACL, "Operational attribute: %s access allowed\n",
Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:"
" modify access granted\n",
mlist->ml_type, 0, 0 );
continue;
}