diff options
author | Stefan Metzmacher <metze@samba.org> | 2013-01-16 16:34:56 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2013-01-21 16:12:45 +0100 |
commit | 097fae2d1d6ae04a7bfc795803f200b6f703a904 (patch) | |
tree | 431136cf3207cd112db9e7ec7a3fd5cdf194a6fb /source4/dsdb | |
parent | 74bfec026921fcfc430fb7cfaee44ed75f135a99 (diff) | |
download | samba-097fae2d1d6ae04a7bfc795803f200b6f703a904.tar.gz samba-097fae2d1d6ae04a7bfc795803f200b6f703a904.tar.bz2 samba-097fae2d1d6ae04a7bfc795803f200b6f703a904.zip |
dsdb-acl: add acl_check_access_on_objectclass() helper
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/dsdb')
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/acl_util.c | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/acl_util.c b/source4/dsdb/samdb/ldb_modules/acl_util.c index 13d6098a21..bbf8e660a6 100644 --- a/source4/dsdb/samdb/ldb_modules/acl_util.c +++ b/source4/dsdb/samdb/ldb_modules/acl_util.c @@ -150,6 +150,45 @@ fail: return ldb_operr(ldb_module_get_ctx(module)); } +int acl_check_access_on_objectclass(struct ldb_module *module, + TALLOC_CTX *mem_ctx, + struct security_descriptor *sd, + struct dom_sid *rp_sid, + uint32_t access_mask, + const struct dsdb_class *objectclass) +{ + int ret; + NTSTATUS status; + uint32_t access_granted; + struct object_tree *root = NULL; + struct object_tree *new_node = NULL; + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + struct security_token *token = acl_user_token(module); + + if (!insert_in_object_tree(tmp_ctx, + &objectclass->schemaIDGUID, + access_mask, &root, + &new_node)) { + DEBUG(10, ("acl_search: cannot add to object tree class schemaIDGUID\n")); + goto fail; + } + + status = sec_access_check_ds(sd, token, + access_mask, + &access_granted, + root, + rp_sid); + if (!NT_STATUS_IS_OK(status)) { + ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS; + } else { + ret = LDB_SUCCESS; + } + talloc_free(tmp_ctx); + return ret; +fail: + talloc_free(tmp_ctx); + return ldb_operr(ldb_module_get_ctx(module)); +} /* checks for validated writes */ int acl_check_extended_right(TALLOC_CTX *mem_ctx, |