summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2013-01-16 16:41:51 +0100
committerStefan Metzmacher <metze@samba.org>2013-01-21 16:12:45 +0100
commit8d31e42eed71e9686b03c496eeff1ff96a6742ea (patch)
treecdd6e34a480610c4e1972725757c2cebb7a35c89
parent8e47e64f5d73441b6eb13d59001d52ec77c1c7d5 (diff)
downloadsamba-8d31e42eed71e9686b03c496eeff1ff96a6742ea.tar.gz
samba-8d31e42eed71e9686b03c496eeff1ff96a6742ea.tar.bz2
samba-8d31e42eed71e9686b03c496eeff1ff96a6742ea.zip
dsdb-acl: make use of acl_check_access_on_attribute() in acl_modify()
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-rw-r--r--source4/dsdb/samdb/ldb_modules/acl.c60
1 files changed, 16 insertions, 44 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index 2842e58b33..b4b170f5dd 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -954,8 +954,6 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
const struct dsdb_schema *schema;
unsigned int i;
const struct dsdb_class *objectclass;
- uint32_t access_granted;
- NTSTATUS status;
struct ldb_result *acl_res;
struct security_descriptor *sd;
struct dom_sid *sid = NULL;
@@ -1067,13 +1065,14 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
access_mask |= SEC_FLAG_SYSTEM_SECURITY;
}
- status = sec_access_check_ds(sd, acl_user_token(module),
- access_mask,
- &access_granted,
- NULL,
- sid);
-
- if (!NT_STATUS_IS_OK(status)) {
+ ret = acl_check_access_on_attribute(module,
+ tmp_ctx,
+ sd,
+ sid,
+ access_mask,
+ attr,
+ objectclass);
+ if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb_module_get_ctx(module),
"Object %s has no write dacl access\n",
ldb_dn_get_linearized(msg->dn));
@@ -1125,41 +1124,14 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
goto fail;
}
} else {
- struct object_tree *root = NULL;
- struct object_tree *new_node = NULL;
-
- if (!insert_in_object_tree(tmp_ctx,
- &objectclass->schemaIDGUID,
- SEC_ADS_WRITE_PROP,
- &root, &new_node)) {
- talloc_free(tmp_ctx);
- return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR,
- "acl_modify: Error adding new node in object tree.");
- }
-
- if (!insert_in_object_tree(tmp_ctx,
- &attr->attributeSecurityGUID, SEC_ADS_WRITE_PROP,
- &new_node, &new_node)) {
- ldb_asprintf_errstring(ldb_module_get_ctx(module),
- "acl_modify: cannot add to object tree securityGUID\n");
- ret = LDB_ERR_OPERATIONS_ERROR;
- goto fail;
- }
-
- if (!insert_in_object_tree(tmp_ctx,
- &attr->schemaIDGUID, SEC_ADS_WRITE_PROP, &new_node, &new_node)) {
- ldb_asprintf_errstring(ldb_module_get_ctx(module),
- "acl_modify: cannot add to object tree attributeGUID\n");
- ret = LDB_ERR_OPERATIONS_ERROR;
- goto fail;
- }
-
- status = sec_access_check_ds(sd, acl_user_token(module),
- SEC_ADS_WRITE_PROP,
- &access_granted,
- root,
- sid);
- if (!NT_STATUS_IS_OK(status)) {
+ ret = acl_check_access_on_attribute(module,
+ tmp_ctx,
+ sd,
+ sid,
+ SEC_ADS_WRITE_PROP,
+ attr,
+ objectclass);
+ if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb_module_get_ctx(module),
"Object %s has no write property access\n",
ldb_dn_get_linearized(msg->dn));