From df712b8597aa27613efc904fc85d7ac562d627a0 Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Thu, 27 Jan 2000 18:35:36 +0000 Subject: [PATCH] Don't exclude no-user-modification attributes from ACL checks unless access requested is WRITE. This allows you to apply an ACL to limit search/reading of no-user-modification attributes. Writes, of course, are always prohibited (by do_add, do_modify). --- servers/slapd/acl.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index f50005d09f..cc0802a211 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -98,8 +98,12 @@ access_allowed( return 1; } - /* no user modify operational attributes are ignored by ACL checking */ - if ( oc_check_no_usermod_attr( attr ) ) { + /* + * no-user-modification operational attributes are ignored + * by ACL_WRITE checking as any found here are not provided + * by the user + */ + if ( access >= ACL_WRITE && oc_check_no_usermod_attr( attr ) ) { Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:" " %s access granted\n", attr, 0, 0 ); @@ -623,9 +627,14 @@ acl_check_modlist( } for ( ; mlist != NULL; mlist = mlist->ml_next ) { - /* the lastmod attributes are ignored by ACL checking */ + /* + * no-user-modification operational attributes are ignored + * by ACL_WRITE checking as any found here are not provided + * by the user + */ if ( oc_check_no_usermod_attr( mlist->ml_type ) ) { - Debug( LDAP_DEBUG_ACL, "Operational attribute: %s access allowed\n", + Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:" + " modify access granted\n", mlist->ml_type, 0, 0 ); continue; }