1 file changed, 58 insertions(+), 55 deletions(-)
New commits:
commit 7d19149d2a53188dfcb0f719c65517cea2c3682f
Author: Ludwig Krispenz <lkrispen@redhat.com>
Date: Fri Jun 27 15:20:25 2014 +0200
Ticket 47821 - deref plugin cannot handle complex acis
Bug Description: the deref plugin does not return attributes if
the access depends on rules requireing
the entry
Fix Description: do the access check after the entry is retrieved
https://fedorahosted.org/389/ticket/47821
Reviewed by: mark, thanks
diff --git a/ldap/servers/plugins/deref/deref.c b/ldap/servers/plugins/deref/deref.c
index 8414452..9fa355c 100644
--- a/ldap/servers/plugins/deref/deref.c
+++ b/ldap/servers/plugins/deref/deref.c
@@ -606,14 +606,10 @@ deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn,
Slapi_Entry **entries = NULL;
int rc;
- if (deref_check_access(pb, NULL, derefdn, attrs, &retattrs,
- (SLAPI_ACL_SEARCH|SLAPI_ACL_READ))) {
- slapi_log_error(SLAPI_LOG_PLUGIN, DEREF_PLUGIN_SUBSYSTEM,
- "The client does not have permission to read the requested "
- "attributes in entry %s\n", derefdn);
- return;
- }
-
+/* If the access check on the attributes is done without retrieveing the entry
+ * it cannot handle acis which need teh entry, eg to apply a targetfilter rule
+ * So the determination of attrs which can be dereferenced is delayed
+ */
derefpb = slapi_pblock_new();
slapi_search_internal_set_pb(derefpb, derefdn, LDAP_SCOPE_BASE,
"(objectclass=*)", retattrs, 0,
@@ -632,62 +628,69 @@ deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn,
} else {
int ii;
int needattrvals = 1; /* need attrvals sequence? */
- for (ii = 0; retattrs[ii]; ++ii) {
- Slapi_Value *sv;
- int idx = 0;
- Slapi_ValueSet* results = NULL;
- int type_name_disposition = 0;
- char* actual_type_name = NULL;
- int flags = 0;
- int buffer_flags = 0;
- int needpartialattr = 1; /* need PartialAttribute sequence? */
- int needvalsset = 1;
+ if (deref_check_access(pb, entries[0], derefdn, attrs, &retattrs,
+ (SLAPI_ACL_SEARCH|SLAPI_ACL_READ))) {
+ slapi_log_error(SLAPI_LOG_PLUGIN, DEREF_PLUGIN_SUBSYSTEM,
+ "The client does not have permission to read the requested "
+ "attributes in entry %s\n", derefdn);
+ } else {
+ for (ii = 0; retattrs[ii]; ++ii) {
+ Slapi_Value *sv;
+ int idx = 0;
+ Slapi_ValueSet* results = NULL;
+ int type_name_disposition = 0;
+ char* actual_type_name = NULL;
+ int flags = 0;
+ int buffer_flags = 0;
+ int needpartialattr = 1; /* need PartialAttribute sequence? */
+ int needvalsset = 1;
#if defined(USE_OLD_UNHASHED)
- if (is_type_forbidden(retattrs[ii])) {
- slapi_log_error(SLAPI_LOG_PLUGIN, DEREF_PLUGIN_SUBSYSTEM,
- "skip forbidden attribute [%s]\n", derefdn);
- continue;
- }
+ if (is_type_forbidden(retattrs[ii])) {
+ slapi_log_error(SLAPI_LOG_PLUGIN, DEREF_PLUGIN_SUBSYSTEM,
+ "skip forbidden attribute [%s]\n", derefdn);
+ continue;
+ }
No comments:
Post a Comment