diff options
| author | Stefan Metzmacher <metze@samba.org> | 2020-10-06 15:10:33 +0200 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2020-10-27 08:22:01 +0000 |
| commit | 24e0a440a9331f676cdeabf38f307fec281c86f3 (patch) | |
| tree | c843cc2492c5566c4c4c6d3be6812e4f821c18ae /source4 | |
| parent | 540cd43baf2b761dbed17cd7e817b312cf31b96e (diff) | |
| download | samba-24e0a440a9331f676cdeabf38f307fec281c86f3.tar.gz | |
s4:dsdb:acl_read: fully set up 'struct aclread_context' before the search base acl check
This makes further change much easier.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit c4a3028de726d6708f57d02f9162a4d62d1b6ae7)
Diffstat (limited to 'source4')
| -rw-r--r-- | source4/dsdb/samdb/ldb_modules/acl_read.c | 62 |
1 files changed, 32 insertions, 30 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c index 9d088698e8c..dca43bcab76 100644 --- a/source4/dsdb/samdb/ldb_modules/acl_read.c +++ b/source4/dsdb/samdb/ldb_modules/acl_read.c @@ -763,36 +763,6 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req) return ldb_next_request(module, req); } - /* check accessibility of base */ - if (!ldb_dn_is_null(req->op.search.base)) { - ret = dsdb_module_search_dn(module, req, &res, req->op.search.base, - acl_attrs, - DSDB_FLAG_NEXT_MODULE | - DSDB_FLAG_AS_SYSTEM | - DSDB_SEARCH_SHOW_RECYCLED, - req); - if (ret != LDB_SUCCESS) { - return ldb_error(ldb, ret, - "acl_read: Error retrieving instanceType for base."); - } - instanceType = ldb_msg_find_attr_as_uint(res->msgs[0], - "instanceType", 0); - if (instanceType != 0 && !(instanceType & INSTANCE_TYPE_IS_NC_HEAD)) - { - /* the object has a parent, so we have to check for visibility */ - struct ldb_dn *parent_dn = ldb_dn_get_parent(req, req->op.search.base); - ret = dsdb_module_check_access_on_dn(module, - req, - parent_dn, - SEC_ADS_LIST, - NULL, req); - if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) { - return ldb_module_done(req, NULL, NULL, LDB_ERR_NO_SUCH_OBJECT); - } else if (ret != LDB_SUCCESS) { - return ldb_module_done(req, NULL, NULL, ret); - } - } - } ac = talloc_zero(req, struct aclread_context); if (ac == NULL) { return ldb_oom(ldb); @@ -865,6 +835,38 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req) } ac->attrs = req->op.search.attrs; + + /* check accessibility of base */ + if (!ldb_dn_is_null(req->op.search.base)) { + ret = dsdb_module_search_dn(module, req, &res, req->op.search.base, + acl_attrs, + DSDB_FLAG_NEXT_MODULE | + DSDB_FLAG_AS_SYSTEM | + DSDB_SEARCH_SHOW_RECYCLED, + req); + if (ret != LDB_SUCCESS) { + return ldb_error(ldb, ret, + "acl_read: Error retrieving instanceType for base."); + } + instanceType = ldb_msg_find_attr_as_uint(res->msgs[0], + "instanceType", 0); + if (instanceType != 0 && !(instanceType & INSTANCE_TYPE_IS_NC_HEAD)) + { + /* the object has a parent, so we have to check for visibility */ + struct ldb_dn *parent_dn = ldb_dn_get_parent(req, req->op.search.base); + ret = dsdb_module_check_access_on_dn(module, + req, + parent_dn, + SEC_ADS_LIST, + NULL, req); + if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) { + return ldb_module_done(req, NULL, NULL, LDB_ERR_NO_SUCH_OBJECT); + } else if (ret != LDB_SUCCESS) { + return ldb_module_done(req, NULL, NULL, ret); + } + } + } + ret = ldb_build_search_req_ex(&down_req, ldb, ac, req->op.search.base, |