2024-12-25 23:21:54 +03:00 · 2012-04-04 12:29:58 +02:00 · 2012-04-04 12:29:58 +02:00 · ba96b2491e
commit ba96b2491e
parent 4eb0d42291
2 changed files with 47 additions and 46 deletions
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@ -287,6 +287,52 @@ static int acl_childClasses(struct ldb_module *module,
 	return LDB_SUCCESS;
 }

+static int acl_check_access_on_class(struct ldb_module *module,
+				     const struct dsdb_schema *schema,
+				     TALLOC_CTX *mem_ctx,
+				     struct security_descriptor *sd,
+				     struct security_token *token,
+				     struct dom_sid *rp_sid,
+				     uint32_t access_mask,
+				     const char *class_name)
+{
+	int ret;
+	NTSTATUS status;
+	uint32_t access_granted;
+	struct object_tree *root = NULL;
+	struct object_tree *new_node = NULL;
+	const struct GUID *guid;
+
+	if (class_name != NULL) {
+		guid = class_schemaid_guid_by_lDAPDisplayName(schema, class_name);
+		if (!guid) {
+			DEBUG(10, ("acl_search: cannot find class %s\n",
+				   class_name));
+			goto fail;
+		}
+		if (!insert_in_object_tree(mem_ctx,
+					   guid, access_mask,
+					   &root, &new_node)) {
+			DEBUG(10, ("acl_search: cannot add to object tree guid\n"));
+			goto fail;
+		}
+	}
+
+	status = sec_access_check_ds(sd, token,
+				     access_mask,
+				     &access_granted,
+				     root,
+				     rp_sid);
+	if (!NT_STATUS_IS_OK(status)) {
+		ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
+	} else {
+		ret = LDB_SUCCESS;
+	}
+	return ret;
+fail:
+	return ldb_operr(ldb_module_get_ctx(module));
+}
+
 static int acl_childClassesEffective(struct ldb_module *module,
 				     const struct dsdb_schema *schema,
 				     struct ldb_message *sd_msg,
@ -339,6 +385,7 @@ static int acl_childClassesEffective(struct ldb_module *module,
 							schema,
 							msg,
 							sd,
+							acl_user_token(module),
 							sid,
 							SEC_ADS_CREATE_CHILD,
 							sclass->possibleInferiors[j]);
--- a/source4/dsdb/samdb/ldb_modules/schema.c
+++ b/source4/dsdb/samdb/ldb_modules/schema.c
@ -73,52 +73,6 @@ const struct dsdb_class *get_last_structural_class(const struct dsdb_schema *sch
 	return last_class;
 }

-int acl_check_access_on_class(struct ldb_module *module,
-			      const struct dsdb_schema *schema,
-			      TALLOC_CTX *mem_ctx,
-			      struct security_descriptor *sd,
-			      struct dom_sid *rp_sid,
-			      uint32_t access_mask,
-			      const char *class_name)
-{
-	int ret;
-	NTSTATUS status;
-	uint32_t access_granted;
-	struct object_tree *root = NULL;
-	struct object_tree *new_node = NULL;
-	const struct GUID *guid;
-	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
-	struct security_token *token = acl_user_token(module);
-	if (class_name) {
-		guid = class_schemaid_guid_by_lDAPDisplayName(schema, class_name);
-		if (!guid) {
-			DEBUG(10, ("acl_search: cannot find class %s\n",
-				   class_name));
-			goto fail;
-		}
-		if (!insert_in_object_tree(tmp_ctx,
-					   guid, access_mask,
-					   &root, &new_node)) {
-			DEBUG(10, ("acl_search: cannot add to object tree guid\n"));
-			goto fail;
-		}
-	}
-	status = sec_access_check_ds(sd, token,
-				     access_mask,
-				     &access_granted,
-				     root,
-				     rp_sid);
-	if (!NT_STATUS_IS_OK(status)) {
-		ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
-	}
-	else {
-		ret = LDB_SUCCESS;
-	}
-	return ret;
-fail:
-	return ldb_operr(ldb_module_get_ctx(module));
-}
-
 const struct GUID *get_oc_guid_from_message(struct ldb_module *module,
 						   const struct dsdb_schema *schema,
 						   struct ldb_message *msg)