dsdb-acl: Use the structural objectClass in acl_check_access_on_attribute()

This commit enters the GUID into the object tree so that that access
rights assigned to the structural objectClass are also available, as
well as rights assigned to the attribute property groups.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/dsdb/samdb/ldb_modules/acl_util.c b/source4/dsdb/samdb/ldb_modules/acl_util.c
index 95ab2752c7cf77157fb64467a58ec97dd6afcd51..09ca201d949fb7a8d37a3b2e2a2778e5b21cd2c3 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/acl_util.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_util.c
@@ -107,30 +107,30 @@ int acl_check_access_on_attribute(struct ldb_module *module,
        TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
        struct security_token *token = acl_user_token(module);
 
+       if (!insert_in_object_tree(tmp_ctx,
+                                  &objectclass->schemaIDGUID,
+                                  access_mask, &root,
+                                  &new_node)) {
+               DEBUG(10, ("acl_search: cannot add to object tree class schemaIDGUID\n"));
+               goto fail;
+       }
+
        if (!GUID_all_zero(&attr->attributeSecurityGUID)) {
                if (!insert_in_object_tree(tmp_ctx,
                                           &attr->attributeSecurityGUID,
-                                          access_mask, &root,
+                                          access_mask, &new_node,
                                           &new_node)) {
                        DEBUG(10, ("acl_search: cannot add to object tree securityGUID\n"));
                        goto fail;
                }
+       }
 
-               if (!insert_in_object_tree(tmp_ctx,
-                                          &attr->schemaIDGUID,
-                                          access_mask, &new_node,
-                                          &new_node)) {
-                       DEBUG(10, ("acl_search: cannot add to object tree attributeGUID\n"));
-                       goto fail;
-               }
-       } else {
-               if (!insert_in_object_tree(tmp_ctx,
-                                          &attr->schemaIDGUID,
-                                          access_mask, &root,
-                                          &new_node)) {
-                       DEBUG(10, ("acl_search: cannot add to object tree attributeGUID\n"));
-                       goto fail;
-               }
+       if (!insert_in_object_tree(tmp_ctx,
+                                  &attr->schemaIDGUID,
+                                  access_mask, &new_node,
+                                  &new_node)) {
+               DEBUG(10, ("acl_search: cannot add to object tree attributeGUID\n"));
+               goto fail;
        }
 
        status = sec_access_check_ds(sd, token,