ldap/servers/plugins/acl/acl.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
New commits:
commit fe0491c49fdb180f1bd291ba78148da7c58b5e90
Author: Ludwig Krispenz <lkrispen(a)redhat.com>
Date: Tue Jul 9 16:11:12 2013 +0200
Ticket 47399 - RHDS denies MODRDN access if ACI list contains any DENY rule
Bug Description: if there is a deny rule targeting a specific attribute it also
denies the modrdn operation
Fix Description: only apply deny rules to modrdn if no target attr exists
https://fedorahosted.org/389/ticket/47339
Reviewed by: Rich, thanks
diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c
index e001aea..08d8daa 100644
--- a/ldap/servers/plugins/acl/acl.c
+++ b/ldap/servers/plugins/acl/acl.c
@@ -2640,12 +2640,15 @@ acl__resource_match_aci( Acl_PBlock *aclpb, aci_t *aci, int
skip_attrEval, int *
;
} else if (aci_right & SLAPI_ACL_WRITE &&
(aci->aci_type & ACI_TARGET_ATTR) &&
- !(c_attrEval)) {
+ !(c_attrEval) &&
+ (aci->aci_type & ACI_HAS_ALLOW_RULE)) {
/* We need to handle modrdn operation. Modrdn doesn't
** change any attrs but changes the RDN and so (attr=NULL).
** Here we found an acl which has a targetattr but
** the resource doesn't need one. In that case, we should
** consider this acl.
+ ** the opposite is true if it is a deny rule, only a deny without
+ ** any targetattr should deny modrdn
** default: matches = ACL_TRUE;
*/
;