summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
Diffstat (limited to 'source4')
-rw-r--r--source4/dsdb/samdb/ldb_modules/acl.c47
-rw-r--r--source4/dsdb/samdb/ldb_modules/schema.c46
2 files changed, 47 insertions, 46 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index d898d7e348..6971fbf4ee 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -287,6 +287,52 @@ static int acl_childClasses(struct ldb_module *module,
return LDB_SUCCESS;
}
+static int acl_check_access_on_class(struct ldb_module *module,
+ const struct dsdb_schema *schema,
+ TALLOC_CTX *mem_ctx,
+ struct security_descriptor *sd,
+ struct security_token *token,
+ struct dom_sid *rp_sid,
+ uint32_t access_mask,
+ const char *class_name)
+{
+ int ret;
+ NTSTATUS status;
+ uint32_t access_granted;
+ struct object_tree *root = NULL;
+ struct object_tree *new_node = NULL;
+ const struct GUID *guid;
+
+ if (class_name != NULL) {
+ guid = class_schemaid_guid_by_lDAPDisplayName(schema, class_name);
+ if (!guid) {
+ DEBUG(10, ("acl_search: cannot find class %s\n",
+ class_name));
+ goto fail;
+ }
+ if (!insert_in_object_tree(mem_ctx,
+ guid, access_mask,
+ &root, &new_node)) {
+ DEBUG(10, ("acl_search: cannot add to object tree guid\n"));
+ goto fail;
+ }
+ }
+
+ status = sec_access_check_ds(sd, token,
+ access_mask,
+ &access_granted,
+ root,
+ rp_sid);
+ if (!NT_STATUS_IS_OK(status)) {
+ ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
+ } else {
+ ret = LDB_SUCCESS;
+ }
+ return ret;
+fail:
+ return ldb_operr(ldb_module_get_ctx(module));
+}
+
static int acl_childClassesEffective(struct ldb_module *module,
const struct dsdb_schema *schema,
struct ldb_message *sd_msg,
@@ -339,6 +385,7 @@ static int acl_childClassesEffective(struct ldb_module *module,
schema,
msg,
sd,
+ acl_user_token(module),
sid,
SEC_ADS_CREATE_CHILD,
sclass->possibleInferiors[j]);
diff --git a/source4/dsdb/samdb/ldb_modules/schema.c b/source4/dsdb/samdb/ldb_modules/schema.c
index f483fd386e..d24d388d25 100644
--- a/source4/dsdb/samdb/ldb_modules/schema.c
+++ b/source4/dsdb/samdb/ldb_modules/schema.c
@@ -73,52 +73,6 @@ const struct dsdb_class *get_last_structural_class(const struct dsdb_schema *sch
return last_class;
}
-int acl_check_access_on_class(struct ldb_module *module,
- const struct dsdb_schema *schema,
- TALLOC_CTX *mem_ctx,
- struct security_descriptor *sd,
- struct dom_sid *rp_sid,
- uint32_t access_mask,
- const char *class_name)
-{
- int ret;
- NTSTATUS status;
- uint32_t access_granted;
- struct object_tree *root = NULL;
- struct object_tree *new_node = NULL;
- const struct GUID *guid;
- TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
- struct security_token *token = acl_user_token(module);
- if (class_name) {
- guid = class_schemaid_guid_by_lDAPDisplayName(schema, class_name);
- if (!guid) {
- DEBUG(10, ("acl_search: cannot find class %s\n",
- class_name));
- goto fail;
- }
- if (!insert_in_object_tree(tmp_ctx,
- guid, access_mask,
- &root, &new_node)) {
- DEBUG(10, ("acl_search: cannot add to object tree guid\n"));
- goto fail;
- }
- }
- status = sec_access_check_ds(sd, token,
- access_mask,
- &access_granted,
- root,
- rp_sid);
- if (!NT_STATUS_IS_OK(status)) {
- ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
- }
- else {
- ret = LDB_SUCCESS;
- }
- return ret;
-fail:
- return ldb_operr(ldb_module_get_ctx(module));
-}
-
const struct GUID *get_oc_guid_from_message(struct ldb_module *module,
const struct dsdb_schema *schema,
struct ldb_message *msg)