From 5838637b4218ecf88e7a650610da3be1a5a518c9 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sat, 24 Nov 2012 10:06:13 +0100 Subject: s4:dsdb/acl: require SEC_ADS_DELETE_TREE if the TREE_DELETE control is given (bug #7711) Signed-off-by: Stefan Metzmacher Reviewed-by: Michael Adam --- source4/dsdb/samdb/ldb_modules/acl.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index 4a288f152f..9bf261225e 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -1230,6 +1230,18 @@ static int acl_delete(struct ldb_module *module, struct ldb_request *req) } talloc_free(nc_root); + if (ldb_request_get_control(req, LDB_CONTROL_TREE_DELETE_OID)) { + ret = dsdb_module_check_access_on_dn(module, req, + req->op.del.dn, + SEC_ADS_DELETE_TREE, NULL, + req); + if (ret != LDB_SUCCESS) { + return ret; + } + + return ldb_next_request(module, req); + } + /* First check if we have delete object right */ ret = dsdb_module_check_access_on_dn(module, req, req->op.del.dn, SEC_STD_DELETE, NULL, req); -- cgit