12 жил өмнө · a803b52307
--- a/ldap/servers/plugins/acl/acl.c
+++ b/ldap/servers/plugins/acl/acl.c
@@ -2142,7 +2142,11 @@ acl__resource_match_aci( Acl_PBlock *aclpb, aci_t *aci, int skip_attrEval, int *
 
				 			 * calculated from the targetdn and stored judiciously there
			
 
				 			 */
			
 
				 			matched_val = (char *)acl_ht_lookup( aclpb->aclpb_macro_ht,
			
 
				-										(PLHashNumber)aci->aci_index);
			
 
				+								(PLHashNumber)aci->aci_index);
			
 
				+		} else {
			
 
				+			/* new entry, remove macro evaluation from hash table */
			
 
				+			acl_ht_remove_and_free( aclpb->aclpb_macro_ht,
			
 
				+							(PLHashNumber)aci->aci_index);
			
 
				 		}
			
 
				 		if ( matched_val == NULL &&
			
 
				 			(aclpb->aclpb_res_type & (ACLPB_NEW_ENTRY | ACLPB_EFFECTIVE_RIGHTS))) {
			
--- a/ldap/servers/plugins/acl/acl.h
+++ b/ldap/servers/plugins/acl/acl.h
@@ -933,6 +933,7 @@ int aclutil_str_append_ext(char **dest, size_t *dlen, const char *src, size_t sl
 
				 
			
 
				 /* acl hash table functions */
			
 
				 void acl_ht_add_and_freeOld(acl_ht_t * acl_ht, PLHashNumber key,char *value);
			
 
				+void acl_ht_remove_and_free(acl_ht_t * acl_ht, PLHashNumber key);
			
 
				 acl_ht_t *acl_ht_new(void);
			
 
				 void acl_ht_free_all_entries_and_values( acl_ht_t *acl_ht);
			
 
				 void acl_ht_remove( acl_ht_t *acl_ht, PLHashNumber key);
			
--- a/ldap/servers/plugins/acl/aclutil.c
+++ b/ldap/servers/plugins/acl/aclutil.c
@@ -1397,6 +1397,17 @@ void acl_ht_add_and_freeOld(acl_ht_t * acl_ht,
 
				 	PL_HashTableAdd( acl_ht, (const void *)pkey, value);
			
 
				 }
			
 
				 
			
 
				+void acl_ht_remove_and_free(acl_ht_t * acl_ht,
			
 
				+					PLHashNumber key){
			
 
				+	char *old_value = NULL;	
			
 
				+	uintptr_t pkey = (uintptr_t)key;
			
 
				+
			
 
				+	if ( (old_value = (char *)acl_ht_lookup( acl_ht, key)) != NULL ) {
			
 
				+		acl_ht_remove( acl_ht, key);
			
 
				+		slapi_ch_free_string(&old_value);
			
 
				+	}
			
 
				+}
			
 
				+
			
 
				 /*
			
 
				  * Return a new acl_ht_t *
			
 
				 */
			
--- a/ldap/servers/slapd/filterentry.c
+++ b/ldap/servers/slapd/filterentry.c
@@ -1037,8 +1037,11 @@ vattr_test_filter_list(
 
				 	for ( f = flist; f != NULL; f = f->f_next ) {
			
 
				 		if ( slapi_vattr_filter_test_ext_internal( pb, e, f, verify_access, only_check_access, access_check_done ) != 0 ) {
			
 
				 			/* optimize AND evaluation */
			
 
				-			if ( ftype == LDAP_FILTER_AND ) {
			
 
				-				/* one false is failure */
			
 
				+			if ( ftype == LDAP_FILTER_AND || verify_access) {
			
 
				+				/* one false is failure
			
 
				+				 * for AND all components need to match 
			
 
				+				 * and for AND and OR access to ALL filter attributes is required
			
 
				+				 */
			
 
				 				nomatch = 1;
			
 
				 				break;
			
 
				 			}
			
@@ -1046,8 +1049,11 @@ vattr_test_filter_list(
 
				 			nomatch = 0;
			
 
				 
			
 
				 			/* optimize OR evaluation too */
			
 
				-			if ( ftype == LDAP_FILTER_OR ) {
			
 
				-				/* only one needs to be true */
			
 
				+			if ( ftype == LDAP_FILTER_OR && !verify_access) {
			
 
				+				/* access to all atributes needs to be evaluated
			
 
				+				 * for filter matching
			
 
				+				 * only one needs to be true 
			
 
				+				 */
			
 
				 				break;
			
 
				 			}
			
 
				 		}