[Date Prev][Date Next] [Chronological] [Thread] [Top]

dynacl behavior

To: OpenLDAP Devel <openldap-devel@OpenLDAP.org>
Subject: dynacl behavior
From: Howard Chu <hyc@symas.com>
Date: Wed, 03 May 2006 11:40:11 -0700
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060427 SeaMonkey/1.5a

In this section of code, I believe the ACL_INIT's should be ACL_INVALIDATEs instead, otherwise the final test "see if we have anything to contribute" is always skipped. Agreed?

           /* start out with nothing granted, nothing denied */
           ACL_INIT(tgrant);
           ACL_INIT(tdeny);

           for ( da = b->a_dynacl; da; da = da->da_next ) {
               slap_access_t   grant,
                       deny;

               ACL_INIT(grant);
               ACL_INIT(deny);

               Debug( LDAP_DEBUG_ACL, "    <= check a_dynacl: %s\n",
                   da->da_name, 0, 0 );

(void)( *da->da_mask )( da->da_private, op, e, desc, val, nmatch, matches, &grant, &deny );

               tgrant |= grant;
               tdeny |= deny;
           }

           /* remove anything that the ACL clause does not allow */
           tgrant &= b->a_access_mask & ACL_PRIV_MASK;
           tdeny &= ACL_PRIV_MASK;

           /* see if we have anything to contribute */
           if( ACL_IS_INVALID(tgrant) && ACL_IS_INVALID(tdeny) ) {
               continue;
           }

--
 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/

Prev by Date: RE: server unavailable in proxy backends
Next by Date: structure packing, alignment, etc.
Index(es):
- Chronological
- Thread