summaryrefslogtreecommitdiff
path: root/source4/lib/ldb/tests
diff options
context:
space:
mode:
authorNadezhda Ivanova <nadezhda.ivanova@postpath.com>2009-12-17 17:25:11 +0200
committerNadezhda Ivanova <nadezhda.ivanova@postpath.com>2009-12-17 17:25:11 +0200
commitc0883fb4518570c85bf0a33ea0ce244f23c07c62 (patch)
tree0efb36221f487e0171d23e40216e385955c85a9c /source4/lib/ldb/tests
parent619ad0c6ecf88a861ad1a1e1d5564bd1f91855cc (diff)
downloadsamba-c0883fb4518570c85bf0a33ea0ce244f23c07c62.tar.gz
samba-c0883fb4518570c85bf0a33ea0ce244f23c07c62.tar.bz2
samba-c0883fb4518570c85bf0a33ea0ce244f23c07c62.zip
Fixed incorrect checking of PRINCIPAL_SELF permissions.
If an ace has the PRINCIPAL_SELF as trustee, this sid has to be replaced with the onjectSid of the object being checked. PRINCIPAL_SELF is the way to grant rights to an account over itself.
Diffstat (limited to 'source4/lib/ldb/tests')
-rwxr-xr-xsource4/lib/ldb/tests/python/acl.py43
1 files changed, 41 insertions, 2 deletions
diff --git a/source4/lib/ldb/tests/python/acl.py b/source4/lib/ldb/tests/python/acl.py
index ae35ddfb29..4544f60736 100755
--- a/source4/lib/ldb/tests/python/acl.py
+++ b/source4/lib/ldb/tests/python/acl.py
@@ -393,8 +393,6 @@ userAccountControl: %s""" % userAccountControl
res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s,%s)" \
% ("CN=test_add_group1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn) )
self.assertEqual( res, [])
-
-# ace is not inherited - filered out...
def test_add_granted_user(self):
""" 3 Testing OU with the rights of regular user granted the right 'Create User child objects' """
@@ -749,6 +747,47 @@ url: www.samba.org"""
# This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
self.fail()
+
+ def test_modify_u4(self):
+ """11 Grant WP to PRINCIPAL_SELF and test modify"""
+ # Creating acluser1
+ if self.SAMBA:
+ self.delete_force(self.ldb_admin, self.get_user_dn("acluser3"))
+ self.create_user(self.ldb_admin, self.get_user_dn("acluser3"))
+ self.enable_account(self.get_user_dn("acluser3"))
+ # Test if we have any additional groups for user than default
+ if self.WIN:
+ res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
+ % self.get_user_dn("acluser3") )
+ try:
+ self.assertEqual( res[0]["memberOf"][0], "" )
+ except KeyError:
+ pass
+ else:
+ self.fail()
+ # Create user connection that we will test with
+ ldb_user = self.get_ldb_connection("acluser3", "samba123@")
+ ldif = """
+dn: """ + self.get_user_dn("acluser3") + """
+changetype: modify
+add: adminDescription
+adminDescription: blah blah blah"""
+ try:
+ ldb_user.modify_ldif(ldif)
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
+ else:
+ # This 'modify' operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS
+ self.fail()
+
+ mod = "(OA;;WP;bf967919-0de6-11d0-a285-00aa003049e2;;PS)"
+ self.dacl_add_ace(self.get_user_dn("acluser3"), mod)
+ # Modify on attribute you have rights for
+ ldb_user.modify_ldif(ldif)
+ res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \
+ % self.get_user_dn("acluser3"), attrs=["adminDescription"] )
+ self.assertEqual(res[0]["adminDescription"][0], "blah blah blah")
+
#enable these when we have search implemented
def _test_search_u1(self):
"""See if can prohibit user to read another User object"""