s4:dsdb:acl_read: fully set up 'struct aclread_context' before the search base acl...

author Stefan Metzmacher <metze@samba.org>

Tue, 6 Oct 2020 13:10:33 +0000 (15:10 +0200)

committer Karolin Seeger <kseeger@samba.org>

Mon, 26 Oct 2020 12:17:33 +0000 (12:17 +0000)
author Stefan Metzmacher <metze@samba.org>
Tue, 6 Oct 2020 13:10:33 +0000 (15:10 +0200)
committer Karolin Seeger <kseeger@samba.org>
Mon, 26 Oct 2020 12:17:33 +0000 (12:17 +0000)
diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c

index 9d088698e8c39a352157b35a849906eefd6e9e52..dca43bcab76b035259b7f2bbf35c07d840ca0add 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
@@ -763,36 +763,6 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req)
                 return ldb_next_request(module, req);
         }
  
-       /* check accessibility of base */
-       if (!ldb_dn_is_null(req->op.search.base)) {
-               ret = dsdb_module_search_dn(module, req, &res, req->op.search.base,
-                                           acl_attrs,
-                                           DSDB_FLAG_NEXT_MODULE |
-                                           DSDB_FLAG_AS_SYSTEM |
-                                           DSDB_SEARCH_SHOW_RECYCLED,
-                                           req);
-               if (ret != LDB_SUCCESS) {
-                       return ldb_error(ldb, ret,
-                                       "acl_read: Error retrieving instanceType for base.");
-               }
-               instanceType = ldb_msg_find_attr_as_uint(res->msgs[0],
-                                                       "instanceType", 0);
-               if (instanceType != 0 && !(instanceType & INSTANCE_TYPE_IS_NC_HEAD))
-               {
-                       /* the object has a parent, so we have to check for visibility */
-                       struct ldb_dn *parent_dn = ldb_dn_get_parent(req, req->op.search.base);
-                       ret = dsdb_module_check_access_on_dn(module,
-                                                            req,
-                                                            parent_dn,
-                                                            SEC_ADS_LIST,
-                                                            NULL, req);
-                       if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
-                               return ldb_module_done(req, NULL, NULL, LDB_ERR_NO_SUCH_OBJECT);
-                       } else if (ret != LDB_SUCCESS) {
-                               return ldb_module_done(req, NULL, NULL, ret);
-                       }
-               }
-       }
         ac = talloc_zero(req, struct aclread_context);
         if (ac == NULL) {
                 return ldb_oom(ldb);
@@ -865,6 +835,38 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req)
         }
  
         ac->attrs = req->op.search.attrs;
+
+       /* check accessibility of base */
+       if (!ldb_dn_is_null(req->op.search.base)) {
+               ret = dsdb_module_search_dn(module, req, &res, req->op.search.base,
+                                           acl_attrs,
+                                           DSDB_FLAG_NEXT_MODULE |
+                                           DSDB_FLAG_AS_SYSTEM |
+                                           DSDB_SEARCH_SHOW_RECYCLED,
+                                           req);
+               if (ret != LDB_SUCCESS) {
+                       return ldb_error(ldb, ret,
+                                       "acl_read: Error retrieving instanceType for base.");
+               }
+               instanceType = ldb_msg_find_attr_as_uint(res->msgs[0],
+                                                       "instanceType", 0);
+               if (instanceType != 0 && !(instanceType & INSTANCE_TYPE_IS_NC_HEAD))
+               {
+                       /* the object has a parent, so we have to check for visibility */
+                       struct ldb_dn *parent_dn = ldb_dn_get_parent(req, req->op.search.base);
+                       ret = dsdb_module_check_access_on_dn(module,
+                                                            req,
+                                                            parent_dn,
+                                                            SEC_ADS_LIST,
+                                                            NULL, req);
+                       if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
+                               return ldb_module_done(req, NULL, NULL, LDB_ERR_NO_SUCH_OBJECT);
+                       } else if (ret != LDB_SUCCESS) {
+                               return ldb_module_done(req, NULL, NULL, ret);
+                       }
+               }
+       }
+
         ret = ldb_build_search_req_ex(&down_req,
                                       ldb, ac,
                                       req->op.search.base,
author	Stefan Metzmacher <metze@samba.org>
	Tue, 6 Oct 2020 13:10:33 +0000 (15:10 +0200)
committer	Karolin Seeger <kseeger@samba.org>
	Mon, 26 Oct 2020 12:17:33 +0000 (12:17 +0000)