s4:dsdb/acl: require SEC_ADS_DELETE_TREE if the TREE_DELETE control is given (bug...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index 4a288f152fffe4dbf5da3e4ebaeed849f48f6171..9bf261225ec67946bfa55f8cb14012ece4386c61 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -1230,6 +1230,18 @@ static int acl_delete(struct ldb_module *module, struct ldb_request *req)
        }
        talloc_free(nc_root);
 
+       if (ldb_request_get_control(req, LDB_CONTROL_TREE_DELETE_OID)) {
+               ret = dsdb_module_check_access_on_dn(module, req,
+                                                    req->op.del.dn,
+                                                    SEC_ADS_DELETE_TREE, NULL,
+                                                    req);
+               if (ret != LDB_SUCCESS) {
+                       return ret;
+               }
+
+               return ldb_next_request(module, req);
+       }
+
        /* First check if we have delete object right */
        ret = dsdb_module_check_access_on_dn(module, req, req->op.del.dn,
                                             SEC_STD_DELETE, NULL, req);