summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/dsdb/samdb/ldb_modules/acl_util.c39
1 files changed, 39 insertions, 0 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/acl_util.c b/source4/dsdb/samdb/ldb_modules/acl_util.c
index 13d6098a21..bbf8e660a6 100644
--- a/source4/dsdb/samdb/ldb_modules/acl_util.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_util.c
@@ -150,6 +150,45 @@ fail:
return ldb_operr(ldb_module_get_ctx(module));
}
+int acl_check_access_on_objectclass(struct ldb_module *module,
+ TALLOC_CTX *mem_ctx,
+ struct security_descriptor *sd,
+ struct dom_sid *rp_sid,
+ uint32_t access_mask,
+ const struct dsdb_class *objectclass)
+{
+ int ret;
+ NTSTATUS status;
+ uint32_t access_granted;
+ struct object_tree *root = NULL;
+ struct object_tree *new_node = NULL;
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+ struct security_token *token = acl_user_token(module);
+
+ if (!insert_in_object_tree(tmp_ctx,
+ &objectclass->schemaIDGUID,
+ access_mask, &root,
+ &new_node)) {
+ DEBUG(10, ("acl_search: cannot add to object tree class schemaIDGUID\n"));
+ goto fail;
+ }
+
+ status = sec_access_check_ds(sd, token,
+ access_mask,
+ &access_granted,
+ root,
+ rp_sid);
+ if (!NT_STATUS_IS_OK(status)) {
+ ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
+ } else {
+ ret = LDB_SUCCESS;
+ }
+ talloc_free(tmp_ctx);
+ return ret;
+fail:
+ talloc_free(tmp_ctx);
+ return ldb_operr(ldb_module_get_ctx(module));
+}
/* checks for validated writes */
int acl_check_extended_right(TALLOC_CTX *mem_ctx,