From d26753f961bcc8e685249856428c2c7a2e7ebd99 Mon Sep 17 00:00:00 2001
From: Jamie Cameron <jcameron@webmin.com>
Date: Wed, 6 May 2009 01:02:34 +0000
Subject: [PATCH] Move LDIF access control rules up and down

---
 ldap-server/acl_form.cgi       | 20 +++++++++++++-----
 ldap-server/delete_acls.cgi    | 22 ++++++++++++++++----
 ldap-server/down_acl.cgi       | 37 +++++++++++++++++++++++++---------
 ldap-server/edit_acl.cgi       | 13 ++++++++++--
 ldap-server/index.cgi          |  3 ++-
 ldap-server/lang/en            |  1 +
 ldap-server/ldap-server-lib.pl | 14 ++++++++-----
 ldap-server/up_acl.cgi         | 37 +++++++++++++++++++++++++---------
 8 files changed, 112 insertions(+), 35 deletions(-)

diff --git a/ldap-server/acl_form.cgi b/ldap-server/acl_form.cgi
index e989d8648..3fb066e4c 100644
--- a/ldap-server/acl_form.cgi
+++ b/ldap-server/acl_form.cgi
@@ -6,9 +6,18 @@ require './ldap-server-lib.pl';
 $access{'acl'} || &error($text{'acl_ecannot'});
 &ReadParse();
 
+# Get ACLs
+if (&get_config_type() == 1) {
+	$conf = &get_config();
+	@access = &find("access", $conf);
+	}
+else {
+	$defdb = &get_default_db();
+	$conf = &get_ldif_config();
+	@access = &find_ldif("olcAccess", $conf, $defdb);
+	}
+
 # Page header
-$conf = &get_config();
-@access = &find("access", $conf);
 if ($in{'new'}) {
 	&ui_print_header(undef, $text{'eacl_title1'}, "", "eacl");
 	$p = { 'what' => '*',
@@ -27,8 +36,9 @@ print &ui_hidden("idx", $in{'idx'});
 print &ui_table_start($text{'eacl_header'}, undef, 2);
 
 # Granting to what object
-$what = $p->{'what'} eq '*' ? 1 : 0;
-if ($p->{'what'} =~ /^dn(\.([^=]+))?=(.*)$/i) {
+$what = $p->{'what'} eq '*' || $p->{'what'} eq '' ? 1 : 0;
+if ($p->{'what'} =~ /^dn(\.([^=]+))?="(.*)"$/i ||
+    $p->{'what'} =~ /^dn(\.([^=]+))?=(.*)$/i) {
 	$dn = $3;
 	$style = $2;
 	}
@@ -72,7 +82,7 @@ foreach $b (@{$p->{'by'}}, { }, { }, { }) {
 			     [ 'other', $text{'eacl_other'} ] ],
 			   1, 0, 0, 0,
 			   "style='width:45%' onChange='form.who_$i.disabled = (form.wmode_$i.value != \"other\")'").
-		&ui_textbox("who_$i", $kwho ? "" : $b->{'who'}, 30,
+		&ui_textbox("who_$i", $kwho ? "" : $b->{'who'}, 50,
 			    $kwho, undef, "style='width:45%'"),
 
 		# What access level? Show textbox if complex
diff --git a/ldap-server/delete_acls.cgi b/ldap-server/delete_acls.cgi
index 6bc122de2..414f9f7d3 100644
--- a/ldap-server/delete_acls.cgi
+++ b/ldap-server/delete_acls.cgi
@@ -9,8 +9,17 @@ $access{'acl'} || &error($text{'acl_ecannot'});
 
 # Filter out un-wanted rules
 &lock_slapd_files();
-$conf = &get_config();
-@access = &find("access", $conf);
+
+if (&get_config_type() == 1) {
+	$conf = &get_config();
+	@access = &find("access", $conf);
+	}
+else {
+	$defdb = &get_default_db();
+	$conf = &get_ldif_config();
+	@access = &find_ldif("olcAccess", $conf, $defdb);
+	}
+
 %d = map { $_, 1 } split(/\0/, $in{'d'});
 keys(%d) || &error($text{'dacl_enone'});
 for($i=0; $i<@access; $i++) {
@@ -18,8 +27,13 @@ for($i=0; $i<@access; $i++) {
 	}
 
 # Save them
-&save_directive($conf, "access", @newaccess);
-&flush_file_lines($config{'config_file'});
+if (&get_config_type() == 1) {
+	&save_directive($conf, "access", @newaccess);
+	}
+else {
+	&save_ldif_directive($conf, "olcAccess", $defdb, @newaccess);
+	}
+&flush_file_lines();
 &unlock_slapd_files();
 
 &webmin_log("delete", "accesses", scalar(keys(%d)));
diff --git a/ldap-server/down_acl.cgi b/ldap-server/down_acl.cgi
index fb94ec866..ec4c19470 100644
--- a/ldap-server/down_acl.cgi
+++ b/ldap-server/down_acl.cgi
@@ -6,17 +6,36 @@ require './ldap-server-lib.pl';
 $access{'acl'} || &error($text{'acl_ecannot'});
 &ReadParse();
 
-# Find it
 &lock_slapd_files();
-$conf = &get_config();
-@access = &find("access", $conf);
-$p = &parse_ldap_access($access[$in{'idx'}]);
 
-# Move up
-($access[$in{'idx'}+1], $access[$in{'idx'}]) =
-	($access[$in{'idx'}], $access[$in{'idx'}+1]);
-&save_directive($conf, "access", @access);
-&flush_file_lines($config{'config_file'});
+if (&get_config_type() == 1) {
+	# Move down in old-style config
+	$conf = &get_config();
+	@access = &find("access", $conf);
+	($access[$in{'idx'}+1], $access[$in{'idx'}]) =
+		($access[$in{'idx'}], $access[$in{'idx'}+1]);
+	&save_directive($conf, "access", @access);
+	&flush_file_lines($config{'config_file'});
+	}
+else {
+	# Move down in LDIF config
+	$defdb = &get_default_db();
+	$conf = &get_ldif_config();
+	@access = &find_ldif("olcAccess", $conf, $defdb);
+	($access[$in{'idx'}+1], $access[$in{'idx'}]) =
+		($access[$in{'idx'}], $access[$in{'idx'}+1]);
+	if ($access[$in{'idx'}]->{'values'}->[0] =~ /^\{\d+\}to/ &&
+	    $access[$in{'idx'}+1]->{'values'}->[0] =~ /^\{\d+\}to/) {
+		# Swap indexes too
+		($access[$in{'idx'}]->{'values'}->[0],
+		 $access[$in{'idx'}+1]->{'values'}->[0]) = 
+			($access[$in{'idx'}+1]->{'values'}->[0],
+			 $access[$in{'idx'}]->{'values'}->[0]);
+		}
+	&save_ldif_directive($conf, "olcAccess", $defdb, @access);
+	&flush_file_lines();
+	}
+
 &unlock_slapd_files();
 
 &webmin_log("down", "access", $p->{'what'});
diff --git a/ldap-server/edit_acl.cgi b/ldap-server/edit_acl.cgi
index b43749de8..f91e64b14 100644
--- a/ldap-server/edit_acl.cgi
+++ b/ldap-server/edit_acl.cgi
@@ -6,8 +6,17 @@ require './ldap-server-lib.pl';
 $access{'acl'} || &error($text{'acl_ecannot'});
 &ui_print_header(undef, $text{'acl_title'}, "", "acl");
 
-$conf = &get_config();
-@access = &find("access", $conf);
+# Get ACLs
+if (&get_config_type() == 1) {
+	$conf = &get_config();
+	@access = &find("access", $conf);
+	}
+else {
+	$defdb = &get_default_db();
+	$conf = &get_ldif_config();
+	@access = &find_ldif("olcAccess", $conf, $defdb);
+	}
+
 @crlinks = ( "<a href='acl_form.cgi?new=1'>$text{'acl_add'}</a>" );
 if (@access) {
 	# Show table of ACLs
diff --git a/ldap-server/index.cgi b/ldap-server/index.cgi
index 5a955b270..75a08e34e 100644
--- a/ldap-server/index.cgi
+++ b/ldap-server/index.cgi
@@ -79,7 +79,8 @@ if ($p && ref($ldap) && $access{'browser'}) {
 if ($local) {
 	# All local server icons
 	@pages = ( &get_config_type() == 1 ? "slapd" : "ldif",
-		   "schema", "acl", "browser", "create" );
+		   &get_config_type() == 1 ? ( "schema" ) : ( ),
+		   "acl", "browser", "create" );
 	}
 else {
 	# Just browser and DN creator
diff --git a/ldap-server/lang/en b/ldap-server/lang/en
index 4b1c7c0a9..5bd1d3b88 100644
--- a/ldap-server/lang/en
+++ b/ldap-server/lang/en
@@ -284,6 +284,7 @@ access_read=read
 access_write=write
 access_all=anyone
 access_any=All objects
+access_nodn=Objects with no DN
 access_lnone=No access
 access_lauth=Authenticate
 access_lcompare=Compare
diff --git a/ldap-server/ldap-server-lib.pl b/ldap-server/ldap-server-lib.pl
index fbf1dfdf1..bf866d1c4 100644
--- a/ldap-server/ldap-server-lib.pl
+++ b/ldap-server/ldap-server-lib.pl
@@ -633,8 +633,11 @@ sub parse_ldap_access
 local ($a) = @_;
 local @v = @{$a->{'values'}};
 local $p = { };
-shift(@v);			# Remove to
-$p->{'what'} = shift(@v);	# Object
+print STDERR "v=",join("/", @v),"\n";
+shift(@v);			# Remove to or {x}to
+if ($v[0] !~ /^(filter|attrs)=/) {
+	$p->{'what'} = shift(@v);	# Object
+	}
 if ($v[0] =~ /^filter=(\S+)/) {
 	# Filter added to what
 	$p->{'filter'} = $1;
@@ -665,11 +668,12 @@ while(@v) {
 	push(@{$p->{'by'}}, $by);
 	}
 $p->{'bydesc'} = join(", ", @descs);
-if ($p->{'what'} eq '*') {
+if ($p->{'what'} eq '*' || $p->{'what'} eq '') {
 	$p->{'whatdesc'} = $text{'access_any'};
 	}
-elsif ($p->{'what'} =~ /^dn(\.[^=]+)?=(.*)$/) {
-	$p->{'whatdesc'} = "<tt>$2</tt>";
+elsif ($p->{'what'} =~ /^dn(\.[^=]+)?="(.*)"$/ ||
+       $p->{'what'} =~ /^dn(\.[^=]+)?=(.*)$/) {
+	$p->{'whatdesc'} = $2 ne '' ? "<tt>$2</tt>" : $text{'access_nodn'};
 	}
 else {
 	$p->{'whatdesc'} = $p->{'what'};
diff --git a/ldap-server/up_acl.cgi b/ldap-server/up_acl.cgi
index 659816af2..3ecac15f4 100644
--- a/ldap-server/up_acl.cgi
+++ b/ldap-server/up_acl.cgi
@@ -6,17 +6,36 @@ require './ldap-server-lib.pl';
 $access{'acl'} || &error($text{'acl_ecannot'});
 &ReadParse();
 
-# Find it
 &lock_slapd_files();
-$conf = &get_config();
-@access = &find("access", $conf);
-$p = &parse_ldap_access($access[$in{'idx'}]);
 
-# Move up
-($access[$in{'idx'}-1], $access[$in{'idx'}]) =
-	($access[$in{'idx'}], $access[$in{'idx'}-1]);
-&save_directive($conf, "access", @access);
-&flush_file_lines($config{'config_file'});
+if (&get_config_type() == 1) {
+	# Move up in old-style config
+	$conf = &get_config();
+	@access = &find("access", $conf);
+	($access[$in{'idx'}-1], $access[$in{'idx'}]) =
+		($access[$in{'idx'}], $access[$in{'idx'}-1]);
+	&save_directive($conf, "access", @access);
+	&flush_file_lines($config{'config_file'});
+	}
+else {
+	# Move up in LDIF config
+	$defdb = &get_default_db();
+	$conf = &get_ldif_config();
+	@access = &find_ldif("olcAccess", $conf, $defdb);
+	($access[$in{'idx'}-1], $access[$in{'idx'}]) =
+		($access[$in{'idx'}], $access[$in{'idx'}-1]);
+	if ($access[$in{'idx'}]->{'values'}->[0] =~ /^\{\d+\}to/ &&
+	    $access[$in{'idx'}-1]->{'values'}->[0] =~ /^\{\d+\}to/) {
+		# Swap indexes too
+		($access[$in{'idx'}]->{'values'}->[0],
+		 $access[$in{'idx'}-1]->{'values'}->[0]) = 
+			($access[$in{'idx'}-1]->{'values'}->[0],
+			 $access[$in{'idx'}]->{'values'}->[0]);
+		}
+	&save_ldif_directive($conf, "olcAccess", $defdb, @access);
+	&flush_file_lines();
+	}
+
 &unlock_slapd_files();
 
 &webmin_log("up", "access", $p->{'what'});