[389-commits] ldap/servers

[Nathan Kinder]

 ldap/servers/plugins/dna/dna.c |   12 ++++++++++++
 1 file changed, 12 insertions(+)

New commits:
commit fe6f8f219bf1769f4daff8b3b1d31163a70eaa46
Author: Nathan Kinder <nkinder at redhat.com>
Date:   Mon Nov 1 12:41:05 2010 -0700

    Bug 521088 - DNA should check ACLs before getting a value from the range
    
    The DNA plug-in gets a value from the range at the pre-op stage, which
    means that the operation can fail at a later point.  This results in
    a value being used up from the range even though it is never actually
    used within an entry.
    
    This patch makes DNA check the ACIs to see if the incoming operation
    is allowed before allocating a value from the range.  If the ACIs
    result in an operation that will be rejected, we skip allocation
    which keeps us from wasting a value from the range.

diff --git a/ldap/servers/plugins/dna/dna.c b/ldap/servers/plugins/dna/dna.c
index 5419409..a60690d 100644
--- a/ldap/servers/plugins/dna/dna.c
+++ b/ldap/servers/plugins/dna/dna.c
@@ -2821,6 +2821,18 @@ static int dna_pre_op(Slapi_PBlock * pb, int modtype)
         goto bailmod;
     }
 
+    /* See if the operation is going to be rejected by the ACIs.  There's no use in
+     * us worrying about the change if it's going to be rejected. */
+    if (LDAP_CHANGETYPE_MODIFY == modtype) {
+        if (slapi_acl_check_mods(pb, e, slapi_mods_get_ldapmods_byref(smods), NULL) != LDAP_SUCCESS) {
+            goto bailmod;
+        }
+    } else {
+        if (slapi_access_allowed(pb, e, NULL, NULL, SLAPI_ACL_ADD) != LDAP_SUCCESS) {
+            goto bailmod;
+        }
+    }
+
     dna_read_lock();
 
     if (!PR_CLIST_IS_EMPTY(dna_global_config)) {