3) "printer admins" (may result in numerous calls to winbind)
****************************************************************************/
-bool print_access_check(const struct auth_session_info *session_info,
- struct messaging_context *msg_ctx, int snum,
- int access_type)
+WERROR print_access_check(const struct auth_session_info *session_info,
+ struct messaging_context *msg_ctx, int snum,
+ int access_type)
{
struct spoolss_security_descriptor *secdesc = NULL;
uint32 access_granted;
/* Always allow root or SE_PRINT_OPERATROR to do anything */
- if (session_info->unix_token->uid == sec_initial_uid()
- || security_token_has_privilege(session_info->security_token, SEC_PRIV_PRINT_OPERATOR)) {
- return True;
+ if ((session_info->unix_token->uid == sec_initial_uid())
+ || security_token_has_privilege(session_info->security_token,
+ SEC_PRIV_PRINT_OPERATOR)) {
+ return WERR_OK;
}
/* Get printer name */
pname = lp_printername(talloc_tos(), snum);
if (!pname || !*pname) {
- errno = EACCES;
- return False;
+ return WERR_ACCESS_DENIED;
}
/* Get printer security descriptor */
if(!(mem_ctx = talloc_init("print_access_check"))) {
- errno = ENOMEM;
- return False;
+ return WERR_NOMEM;
}
result = winreg_get_printer_secdesc_internal(mem_ctx,
&secdesc);
if (!W_ERROR_IS_OK(result)) {
talloc_destroy(mem_ctx);
- errno = ENOMEM;
- return False;
+ return WERR_NOMEM;
}
if (access_type == JOB_ACCESS_ADMINISTER) {
false);
if (!NT_STATUS_IS_OK(status)) {
talloc_destroy(mem_ctx);
- errno = map_errno_from_nt_status(status);
- return False;
+ return ntstatus_to_werror(status);
}
map_job_permissions(secdesc);
talloc_destroy(mem_ctx);
- if (!NT_STATUS_IS_OK(status)) {
- errno = EACCES;
- }
-
- return NT_STATUS_IS_OK(status);
+ return ntstatus_to_werror(status);
}
/****************************************************************************
owns their job. */
if (!owner &&
- !print_access_check(server_info, msg_ctx, snum,
- JOB_ACCESS_ADMINISTER)) {
+ !W_ERROR_IS_OK(print_access_check(server_info, msg_ctx, snum,
+ JOB_ACCESS_ADMINISTER))) {
DEBUG(3, ("delete denied by security descriptor\n"));
- /* BEGIN_ADMIN_LOG */
- sys_adminlog( LOG_ERR,
- "Permission denied-- user not allowed to delete, \
-pause, or resume print job. User name: %s. Printer name: %s.",
- uidtoname(server_info->unix_token->uid),
- lp_printername(talloc_tos(), snum) );
- /* END_ADMIN_LOG */
+ sys_adminlog(LOG_ERR,
+ "Permission denied-- user not allowed to delete, "
+ "pause, or resume print job. User name: %s. "
+ "Printer name: %s.",
+ uidtoname(server_info->unix_token->uid),
+ lp_printername(tmp_ctx, snum) );
werr = WERR_ACCESS_DENIED;
goto err_out;
}
if (!is_owner(server_info, lp_const_servicename(snum), jobid) &&
- !print_access_check(server_info, msg_ctx, snum,
- JOB_ACCESS_ADMINISTER)) {
+ !W_ERROR_IS_OK(print_access_check(server_info, msg_ctx, snum,
+ JOB_ACCESS_ADMINISTER))) {
DEBUG(3, ("pause denied by security descriptor\n"));
- /* BEGIN_ADMIN_LOG */
- sys_adminlog( LOG_ERR,
- "Permission denied-- user not allowed to delete, \
-pause, or resume print job. User name: %s. Printer name: %s.",
- uidtoname(server_info->unix_token->uid),
- lp_printername(talloc_tos(), snum) );
- /* END_ADMIN_LOG */
+ sys_adminlog(LOG_ERR,
+ "Permission denied-- user not allowed to delete, "
+ "pause, or resume print job. User name: %s. "
+ "Printer name: %s.",
+ uidtoname(server_info->unix_token->uid),
+ lp_printername(tmp_ctx, snum) );
werr = WERR_ACCESS_DENIED;
goto err_out;
}
if (!is_owner(server_info, lp_const_servicename(snum), jobid) &&
- !print_access_check(server_info, msg_ctx, snum,
- JOB_ACCESS_ADMINISTER)) {
+ !W_ERROR_IS_OK(print_access_check(server_info, msg_ctx, snum,
+ JOB_ACCESS_ADMINISTER))) {
DEBUG(3, ("resume denied by security descriptor\n"));
- /* BEGIN_ADMIN_LOG */
- sys_adminlog( LOG_ERR,
- "Permission denied-- user not allowed to delete, \
-pause, or resume print job. User name: %s. Printer name: %s.",
- uidtoname(server_info->unix_token->uid),
- lp_printername(talloc_tos(), snum) );
- /* END_ADMIN_LOG */
+ sys_adminlog(LOG_ERR,
+ "Permission denied-- user not allowed to delete, "
+ "pause, or resume print job. User name: %s. "
+ "Printer name: %s.",
+ uidtoname(server_info->unix_token->uid),
+ lp_printername(tmp_ctx, snum));
+
werr = WERR_ACCESS_DENIED;
goto err_out;
}
uint64_t minspace;
int ret;
- if (!print_access_check(server_info, msg_ctx, snum,
- PRINTER_ACCESS_USE)) {
+ if (!W_ERROR_IS_OK(print_access_check(server_info, msg_ctx, snum,
+ PRINTER_ACCESS_USE))) {
DEBUG(3, ("print_job_checks: "
"job start denied by security descriptor\n"));
return WERR_ACCESS_DENIED;
int ret;
struct printif *current_printif = get_printer_fns( snum );
- if (!print_access_check(server_info, msg_ctx, snum,
- PRINTER_ACCESS_ADMINISTER)) {
+ if (!W_ERROR_IS_OK(print_access_check(server_info, msg_ctx, snum,
+ PRINTER_ACCESS_ADMINISTER))) {
return WERR_ACCESS_DENIED;
}
int ret;
struct printif *current_printif = get_printer_fns( snum );
- if (!print_access_check(server_info, msg_ctx, snum,
- PRINTER_ACCESS_ADMINISTER)) {
+ if (!W_ERROR_IS_OK(print_access_check(server_info, msg_ctx, snum,
+ PRINTER_ACCESS_ADMINISTER))) {
return WERR_ACCESS_DENIED;
}
/* Force and update so the count is accurate (i.e. not a cached count) */
print_queue_update(msg_ctx, snum, True);
- can_job_admin = print_access_check(server_info,
- msg_ctx,
- snum,
- JOB_ACCESS_ADMINISTER);
+ can_job_admin = W_ERROR_IS_OK(print_access_check(server_info,
+ msg_ctx,
+ snum,
+ JOB_ACCESS_ADMINISTER));
njobs = print_queue_status(msg_ctx, snum, &queue, &status);
if ( can_job_admin )