[Date Prev][Date Next]
Re: commit: ldap/servers/slapd/back-bdb add.c
Pierangelo Masarati wrote:
On Fri, 2006-05-19 at 15:31 -0700, Howard Chu wrote:
Test045 is broken now because it only gives the updatedn write
privileges to "dn.subtree=<suffix>"; it now also needs children access
to the suffix's parent. Is the code wrong (which used to explicitly
allow access to the updatedn in this case) or the test's ACL?
There shouldn't be any suffix's parent involved in access checking. The
suffix doesn't have any parent by definition, right? I guess checking
children access in this case is incorrect.
Well, there's some uncertainty here. You'll note that modrdn also
requires write access to the children attr of the newsuperior, and uses
slap_entry_root for the parent of the suffix already. And, adding
access to dn.exact="" attrs=children by <foo>write
fixes the test. I think this is actually the right thing, it makes
everything consistent with no exceptions.
Most configurations probably won't see any difference because they
access to * by <updatedn> write
which grants all of the required access anyway.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/