[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
dynacl behavior
- To: OpenLDAP Devel <openldap-devel@OpenLDAP.org>
- Subject: dynacl behavior
- From: Howard Chu <hyc@symas.com>
- Date: Wed, 03 May 2006 11:40:11 -0700
- User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060427 SeaMonkey/1.5a
In this section of code, I believe the ACL_INIT's should be
ACL_INVALIDATEs instead, otherwise the final test "see if we have
anything to contribute" is always skipped.
Agreed?
/* start out with nothing granted, nothing denied */
ACL_INIT(tgrant);
ACL_INIT(tdeny);
for ( da = b->a_dynacl; da; da = da->da_next ) {
slap_access_t grant,
deny;
ACL_INIT(grant);
ACL_INIT(deny);
Debug( LDAP_DEBUG_ACL, " <= check a_dynacl: %s\n",
da->da_name, 0, 0 );
(void)( *da->da_mask )( da->da_private, op, e, desc,
val, nmatch, matches, &grant, &deny );
tgrant |= grant;
tdeny |= deny;
}
/* remove anything that the ACL clause does not allow */
tgrant &= b->a_access_mask & ACL_PRIV_MASK;
tdeny &= ACL_PRIV_MASK;
/* see if we have anything to contribute */
if( ACL_IS_INVALID(tgrant) && ACL_IS_INVALID(tdeny) ) {
continue;
}
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/