Re: (ITS#6693) Value dependent ACL issues

Mon, 08 Nov 2010 06:49:15 -0800 

Hm, that patch was obviously wrong. Even though it resulted in working
value-dependent ACLs, it completely broke ACL caching. This patch
should work better:

-------------------------------------------------------------------
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -1557,6 +1557,7 @@ typedef struct AccessControlState {
 
        /* Value dependent acl where processing can restart */
        AccessControl  *as_vd_acl;
+       int as_vd_acl_present;
        int as_vd_acl_count;
        slap_mask_t             as_vd_mask;
 
@@ -1567,7 +1568,7 @@ typedef struct AccessControlState {
        /* True if started to process frontend ACLs */
        int as_fe_done;
 } AccessControlState;
-#define ACL_STATE_INIT { NULL, ACL_NONE, NULL, 0, ACL_PRIV_NONE, -1, 0 }
+#define ACL_STATE_INIT { NULL, ACL_NONE, NULL, 0, 0, ACL_PRIV_NONE, -1, 0 }
 
 typedef struct AclRegexMatches {        
        int dn_count;
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -220,7 +220,7 @@ slap_access_allowed(
                state = &acl_state;
        if ( state->as_desc == desc &&
                state->as_access == access &&
-               state->as_vd_acl != NULL )
+               state->as_vd_acl_present )
        {
                a = state->as_vd_acl;
                count = state->as_vd_acl_count;
@@ -405,7 +405,7 @@ access_allowed_mask(
                if ( state->as_desc == desc &&
                        state->as_access == access &&
                        state->as_result != -1 &&
-                       state->as_vd_acl == NULL )
+                       !state->as_vd_acl_present )
                        {
                        Debug( LDAP_DEBUG_ACL,
                                "=> access_allowed: result was in cache (%s)\n",
@@ -615,7 +615,8 @@ slap_acl_get(
                                continue;
                        }
 
-                       if ( state->as_vd_acl == NULL ) {
+                       if ( !state->as_vd_acl_present ) {
+                               state->as_vd_acl_present = 1;
                                state->as_vd_acl = prev;
                                state->as_vd_acl_count = *count - 1;
                                ACL_PRIV_ASSIGN ( state->as_vd_mask, *mask );
@@ -714,7 +715,8 @@ slap_acl_get(
  * Record value-dependent access control state
  */
 #define ACL_RECORD_VALUE_STATE do { \
-               if( state && state->as_vd_acl == NULL ) { \
+               if( state && !state->as_vd_acl_present ) { \
+                       state->as_vd_acl_present = 1; \
                        state->as_vd_acl = a; \
                        state->as_vd_acl_count = count; \
                        ACL_PRIV_ASSIGN( state->as_vd_mask, *mask ); \
-------------------------------------------------------------------

Comments welcome.

Ralf

Reply via email to