From 6a4063f30273ff184364f276c5206c3507f37644 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 2 Jan 2013 15:01:23 +1100 Subject: dsdb-acl: Use the structural objectClass in acl_check_access_on_attribute() This commit enters the GUID into the object tree so that that access rights assigned to the structural objectClass are also available, as well as rights assigned to the attribute property groups. Andrew Bartlett Signed-off-by: Stefan Metzmacher Reviewed-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett --- source4/dsdb/samdb/ldb_modules/acl_util.c | 32 +++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) (limited to 'source4/dsdb/samdb') diff --git a/source4/dsdb/samdb/ldb_modules/acl_util.c b/source4/dsdb/samdb/ldb_modules/acl_util.c index 95ab2752c7..09ca201d94 100644 --- a/source4/dsdb/samdb/ldb_modules/acl_util.c +++ b/source4/dsdb/samdb/ldb_modules/acl_util.c @@ -107,30 +107,30 @@ int acl_check_access_on_attribute(struct ldb_module *module, TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); struct security_token *token = acl_user_token(module); + if (!insert_in_object_tree(tmp_ctx, + &objectclass->schemaIDGUID, + access_mask, &root, + &new_node)) { + DEBUG(10, ("acl_search: cannot add to object tree class schemaIDGUID\n")); + goto fail; + } + if (!GUID_all_zero(&attr->attributeSecurityGUID)) { if (!insert_in_object_tree(tmp_ctx, &attr->attributeSecurityGUID, - access_mask, &root, + access_mask, &new_node, &new_node)) { DEBUG(10, ("acl_search: cannot add to object tree securityGUID\n")); goto fail; } + } - if (!insert_in_object_tree(tmp_ctx, - &attr->schemaIDGUID, - access_mask, &new_node, - &new_node)) { - DEBUG(10, ("acl_search: cannot add to object tree attributeGUID\n")); - goto fail; - } - } else { - if (!insert_in_object_tree(tmp_ctx, - &attr->schemaIDGUID, - access_mask, &root, - &new_node)) { - DEBUG(10, ("acl_search: cannot add to object tree attributeGUID\n")); - goto fail; - } + if (!insert_in_object_tree(tmp_ctx, + &attr->schemaIDGUID, + access_mask, &new_node, + &new_node)) { + DEBUG(10, ("acl_search: cannot add to object tree attributeGUID\n")); + goto fail; } status = sec_access_check_ds(sd, token, -- cgit