summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2013-01-16 16:34:56 +0100
committerStefan Metzmacher <metze@samba.org>2013-01-21 16:12:45 +0100
commit097fae2d1d6ae04a7bfc795803f200b6f703a904 (patch)
tree431136cf3207cd112db9e7ec7a3fd5cdf194a6fb
parent74bfec026921fcfc430fb7cfaee44ed75f135a99 (diff)
downloadsamba-097fae2d1d6ae04a7bfc795803f200b6f703a904.tar.gz
samba-097fae2d1d6ae04a7bfc795803f200b6f703a904.tar.bz2
samba-097fae2d1d6ae04a7bfc795803f200b6f703a904.zip
dsdb-acl: add acl_check_access_on_objectclass() helper
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-rw-r--r--source4/dsdb/samdb/ldb_modules/acl_util.c39
1 files changed, 39 insertions, 0 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/acl_util.c b/source4/dsdb/samdb/ldb_modules/acl_util.c
index 13d6098a21..bbf8e660a6 100644
--- a/source4/dsdb/samdb/ldb_modules/acl_util.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_util.c
@@ -150,6 +150,45 @@ fail:
return ldb_operr(ldb_module_get_ctx(module));
}
+int acl_check_access_on_objectclass(struct ldb_module *module,
+ TALLOC_CTX *mem_ctx,
+ struct security_descriptor *sd,
+ struct dom_sid *rp_sid,
+ uint32_t access_mask,
+ const struct dsdb_class *objectclass)
+{
+ int ret;
+ NTSTATUS status;
+ uint32_t access_granted;
+ struct object_tree *root = NULL;
+ struct object_tree *new_node = NULL;
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+ struct security_token *token = acl_user_token(module);
+
+ if (!insert_in_object_tree(tmp_ctx,
+ &objectclass->schemaIDGUID,
+ access_mask, &root,
+ &new_node)) {
+ DEBUG(10, ("acl_search: cannot add to object tree class schemaIDGUID\n"));
+ goto fail;
+ }
+
+ status = sec_access_check_ds(sd, token,
+ access_mask,
+ &access_granted,
+ root,
+ rp_sid);
+ if (!NT_STATUS_IS_OK(status)) {
+ ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
+ } else {
+ ret = LDB_SUCCESS;
+ }
+ talloc_free(tmp_ctx);
+ return ret;
+fail:
+ talloc_free(tmp_ctx);
+ return ldb_operr(ldb_module_get_ctx(module));
+}
/* checks for validated writes */
int acl_check_extended_right(TALLOC_CTX *mem_ctx,