diff options
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/acl_util.c | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/acl_util.c b/source4/dsdb/samdb/ldb_modules/acl_util.c index 13d6098a21..bbf8e660a6 100644 --- a/source4/dsdb/samdb/ldb_modules/acl_util.c +++ b/source4/dsdb/samdb/ldb_modules/acl_util.c @@ -150,6 +150,45 @@ fail: return ldb_operr(ldb_module_get_ctx(module)); } +int acl_check_access_on_objectclass(struct ldb_module *module, + TALLOC_CTX *mem_ctx, + struct security_descriptor *sd, + struct dom_sid *rp_sid, + uint32_t access_mask, + const struct dsdb_class *objectclass) +{ + int ret; + NTSTATUS status; + uint32_t access_granted; + struct object_tree *root = NULL; + struct object_tree *new_node = NULL; + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + struct security_token *token = acl_user_token(module); + + if (!insert_in_object_tree(tmp_ctx, + &objectclass->schemaIDGUID, + access_mask, &root, + &new_node)) { + DEBUG(10, ("acl_search: cannot add to object tree class schemaIDGUID\n")); + goto fail; + } + + status = sec_access_check_ds(sd, token, + access_mask, + &access_granted, + root, + rp_sid); + if (!NT_STATUS_IS_OK(status)) { + ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS; + } else { + ret = LDB_SUCCESS; + } + talloc_free(tmp_ctx); + return ret; +fail: + talloc_free(tmp_ctx); + return ldb_operr(ldb_module_get_ctx(module)); +} /* checks for validated writes */ int acl_check_extended_right(TALLOC_CTX *mem_ctx, |