diff options
| author | Jeremy Allison <jra@samba.org> | 2008-05-05 16:24:52 -0700 |
|---|---|---|
| committer | Jeremy Allison <jra@samba.org> | 2008-05-05 16:24:52 -0700 |
| commit | fbc780b60478bb8b30927beacdf65a9a766b2ca1 (patch) | |
| tree | 1146cbe16f18869d98a09e5b760c5275efc9345c /source3/printing | |
| parent | 7245a8e3b889ad6127d2cbf62a5a7f6e465e6bbd (diff) | |
| download | samba-fbc780b60478bb8b30927beacdf65a9a766b2ca1.tar.gz samba-fbc780b60478bb8b30927beacdf65a9a766b2ca1.tar.bz2 samba-fbc780b60478bb8b30927beacdf65a9a766b2ca1.zip | |
Try and fix bug #5095, "Manage Documents privilege is not functional".
Should map the created sd to printer jobs, not printer.
Jerry please test and I'll add to 3.2 if it passes. Thanks,
Jeremy.
(This used to be commit 0a1fe8d6013d925ab6695f6b7f189b731ec42ccc)
Diffstat (limited to 'source3/printing')
| -rw-r--r-- | source3/printing/nt_printing.c | 35 |
1 files changed, 24 insertions, 11 deletions
diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c index c31a48c585..a66b1e5c5f 100644 --- a/source3/printing/nt_printing.c +++ b/source3/printing/nt_printing.c @@ -72,6 +72,15 @@ const struct generic_mapping printserver_std_mapping = { SERVER_ALL_ACCESS }; +/* Map generic permissions to job object specific permissions */ + +const struct generic_mapping job_generic_mapping = { + JOB_READ, + JOB_WRITE, + JOB_EXECUTE, + JOB_ALL_ACCESS +}; + /* We need one default form to support our default printer. Msoft adds the forms it wants and in the ORDER it wants them (note: DEVMODE papersize is an array index). Letter is always first, so (for the current code) additions @@ -5719,6 +5728,17 @@ void map_printer_permissions(SEC_DESC *sd) } } +void map_job_permissions(SEC_DESC *sd) +{ + int i; + + for (i = 0; sd->dacl && i < sd->dacl->num_aces; i++) { + se_map_generic(&sd->dacl->aces[i].access_mask, + &job_generic_mapping); + } +} + + /**************************************************************************** Check a user has permissions to perform the given operation. We use the permission constants defined in include/rpc_spoolss.h to check the various @@ -5800,19 +5820,12 @@ bool print_access_check(struct current_user *user, int snum, int access_type) return False; } - /* Now this is the bit that really confuses me. The access - type needs to be changed from JOB_ACCESS_ADMINISTER to - PRINTER_ACCESS_ADMINISTER for this to work. Something - to do with the child (job) object becoming like a - printer?? -tpot */ - - access_type = PRINTER_ACCESS_ADMINISTER; + map_job_permissions(secdesc->sd); + } else { + map_printer_permissions(secdesc->sd); } - - /* Check access */ - - map_printer_permissions(secdesc->sd); + /* Check access */ result = se_access_check(secdesc->sd, user->nt_user_token, access_type, &access_granted, &status); |