[Fedora-directory-commits] ldapserver/ldap/servers/slapd/back-ldbm ldbm_search.c, 1.14, 1.15

[Nathan Kinder]

Author: nkinder

Update of /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv7639/ldap/servers/slapd/back-ldbm

Modified Files:
	ldbm_search.c 
Log Message:
Resolves: 220532
Summary: Add access to RUV by users other than "cn=Directory Manager".



Index: ldbm_search.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/ldbm_search.c,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- ldbm_search.c	8 Aug 2008 15:53:10 -0000	1.14
+++ ldbm_search.c	26 Nov 2008 22:42:12 -0000	1.15
@@ -1203,11 +1203,17 @@
           if((slapi_entry_flag_is_set(e->ep_entry,SLAPI_ENTRY_LDAPSUBENTRY) 
              && !filter_flag_is_set(filter,SLAPI_FILTER_LDAPSUBENTRY)) ||
             (slapi_entry_flag_is_set(e->ep_entry,SLAPI_ENTRY_FLAG_TOMBSTONE)
-             && (!isroot || !filter_flag_is_set(filter, SLAPI_FILTER_TOMBSTONE))))
+             && ((!isroot && !filter_flag_is_set(filter, SLAPI_FILTER_RUV)) ||
+             !filter_flag_is_set(filter, SLAPI_FILTER_TOMBSTONE))))
           {
             /* If the entry is an LDAP subentry and filter don't filter subentries OR 
              * the entry is a TombStone and filter don't filter Tombstone 
-             * don't return the entry
+             * don't return the entry.  We make a special case to allow a non-root user
+             * to search for the RUV entry using a filter of:
+             *
+             *     "(&(objectclass=nstombstone)(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff))"
+             *
+             * For this RUV case, we let the ACL check apply.
              */
             /* ugaston - we don't want to mistake this filter failure with the one below due to ACL, 
              * because whereas the former should be read as 'no entry must be returned', the latter