ldap/servers/plugins/acl/acl.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
New commits: commit a71ea8c2e6fa19e1c14587ac8100342d2bdd97dd Author: Ludwig Krispenz lkrispen@redhat.com Date: Tue Jul 9 16:11:12 2013 +0200
Ticket 47399 - RHDS denies MODRDN access if ACI list contains any DENY rule
Bug Description: if there is a deny rule targeting a specific attribute it also denies the modrdn operation
Fix Description: only apply deny rules to modrdn if no target attr exists
https://fedorahosted.org/389/ticket/47339
Reviewed by: Rich, thanks
diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c index 61750fc..1ae925b 100644 --- a/ldap/servers/plugins/acl/acl.c +++ b/ldap/servers/plugins/acl/acl.c @@ -2640,12 +2640,15 @@ acl__resource_match_aci( Acl_PBlock *aclpb, aci_t *aci, int skip_attrEval, int * ; } else if (aci_right & SLAPI_ACL_WRITE && (aci->aci_type & ACI_TARGET_ATTR) && - !(c_attrEval)) { + !(c_attrEval) && + (aci->aci_type & ACI_HAS_ALLOW_RULE)) { /* We need to handle modrdn operation. Modrdn doesn't ** change any attrs but changes the RDN and so (attr=NULL). ** Here we found an acl which has a targetattr but ** the resource doesn't need one. In that case, we should ** consider this acl. + ** the opposite is true if it is a deny rule, only a deny without + ** any targetattr should deny modrdn ** default: matches = ACL_TRUE; */ ;