s3:registry: replace call to reg_openkey() in reg_createkey() by accesscheck. (cherry...

diff --git a/source3/registry/reg_api.c b/source3/registry/reg_api.c
index 0363ca4fed777e428aaef4e36c4ebd429b1dd0a2..55e364feae99b869a3becee0898406d1b49c69dc 100644 (file)
--- a/source3/registry/reg_api.c
+++ b/source3/registry/reg_api.c
@@ -557,6 +557,7 @@ WERROR reg_createkey(TALLOC_CTX *ctx, struct registry_key *parent,
        TALLOC_CTX *mem_ctx;
        char *path, *end;
        WERROR err;
+       uint32_t access_granted;
 
        mem_ctx = talloc_new(ctx);
        if (mem_ctx == NULL) {
@@ -617,14 +618,15 @@ WERROR reg_createkey(TALLOC_CTX *ctx, struct registry_key *parent,
        }
 
        /*
-        * We have to make a copy of the current key, as we opened it only
-        * with ENUM_SUBKEY access.
+        * We may (e.g. in the iteration) have opened the key with ENUM_SUBKEY.
+        * Instead of re-opening the key with CREATE_SUB_KEY, we simply
+        * duplicate the access check here and skip the expensive full open.
         */
-
-       err = reg_openkey(mem_ctx, key, "", KEY_CREATE_SUB_KEY,
-                         &create_parent);
-       if (!W_ERROR_IS_OK(err)) {
-               goto trans_done;
+       if (!regkey_access_check(key->key, KEY_CREATE_SUB_KEY, &access_granted,
+                                key->token))
+       {
+               err = WERR_ACCESS_DENIED;
+               goto done;
        }
 
        /*
@@ -640,7 +642,7 @@ WERROR reg_createkey(TALLOC_CTX *ctx, struct registry_key *parent,
         * Now open the newly created key
         */
 
-       err = reg_openkey(ctx, create_parent, path, desired_access, pkey);
+       err = reg_openkey(ctx, key, path, desired_access, pkey);
        if (W_ERROR_IS_OK(err) && (paction != NULL)) {
                *paction = REG_CREATED_NEW_KEY;
        }