From 097fae2d1d6ae04a7bfc795803f200b6f703a904 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 16 Jan 2013 16:34:56 +0100
Subject: [PATCH] dsdb-acl: add acl_check_access_on_objectclass() helper

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 source4/dsdb/samdb/ldb_modules/acl_util.c | 39 +++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/source4/dsdb/samdb/ldb_modules/acl_util.c b/source4/dsdb/samdb/ldb_modules/acl_util.c
index 13d6098a213..bbf8e660a6b 100644
--- a/source4/dsdb/samdb/ldb_modules/acl_util.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_util.c
@@ -150,6 +150,45 @@ fail:
 	return ldb_operr(ldb_module_get_ctx(module));
 }
 
+int acl_check_access_on_objectclass(struct ldb_module *module,
+				    TALLOC_CTX *mem_ctx,
+				    struct security_descriptor *sd,
+				    struct dom_sid *rp_sid,
+				    uint32_t access_mask,
+				    const struct dsdb_class *objectclass)
+{
+	int ret;
+	NTSTATUS status;
+	uint32_t access_granted;
+	struct object_tree *root = NULL;
+	struct object_tree *new_node = NULL;
+	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+	struct security_token *token = acl_user_token(module);
+
+	if (!insert_in_object_tree(tmp_ctx,
+				   &objectclass->schemaIDGUID,
+				   access_mask, &root,
+				   &new_node)) {
+		DEBUG(10, ("acl_search: cannot add to object tree class schemaIDGUID\n"));
+		goto fail;
+	}
+
+	status = sec_access_check_ds(sd, token,
+				     access_mask,
+				     &access_granted,
+				     root,
+				     rp_sid);
+	if (!NT_STATUS_IS_OK(status)) {
+		ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
+	} else {
+		ret = LDB_SUCCESS;
+	}
+	talloc_free(tmp_ctx);
+	return ret;
+fail:
+	talloc_free(tmp_ctx);
+	return ldb_operr(ldb_module_get_ctx(module));
+}
 
 /* checks for validated writes */
 int acl_check_extended_right(TALLOC_CTX *mem_ctx,
-- 
2.11.4.GIT