Home Explore Help
Register Sign In
Apq
/
389-ds-base
mirror of https://github.com/389ds/389-ds-base.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

Ticket 47399 - RHDS denies MODRDN access if ACI list contains any DENY rule

Bug Description:  if there is a deny rule targeting a specific attribute it also
		  denies the modrdn operation

Fix Description:   only apply deny rules to modrdn if no target attr exists

https://fedorahosted.org/389/ticket/47339

Reviewed by: Rich, thanks
Ludwig Krispenz 12 years ago
parent
6a0ed40b25
commit
fe0491c49f
1 changed files with 4 additions and 1 deletions
Split View Show Diff Stats
  1. 4 1
      ldap/servers/plugins/acl/acl.c

+ 4 - 1
ldap/servers/plugins/acl/acl.c
View File 

@@ -2640,12 +2640,15 @@ acl__resource_match_aci( Acl_PBlock *aclpb, aci_t *aci, int skip_attrEval, int *
 
 			;
 
 		} else if (aci_right & SLAPI_ACL_WRITE && 
 			  (aci->aci_type & ACI_TARGET_ATTR) &&
 
-			  !(c_attrEval)) {
 
+			  !(c_attrEval) &&
 
+			  (aci->aci_type & ACI_HAS_ALLOW_RULE)) {
 
 			/* We need to handle modrdn operation.  Modrdn doesn't 
 			** change any attrs but changes the RDN and so (attr=NULL).
 
 			** Here we found an acl which has a targetattr but
 
 			** the resource doesn't need one. In that case, we should
 
 			** consider this acl.
 
+			** the opposite is true if it is a deny rule, only a deny without 
+			** any targetattr should deny modrdn
 
 			** default: matches = ACL_TRUE;
 
 			*/
 
 			;