server: Ignore ACEs with the INHERIT_ONLY_ACE flag set during access checks.

This commit is contained in:
Rob Shearman 2007-10-25 16:19:54 +01:00 committed by Alexandre Julliard
parent 340122abb7
commit e51f8490f2
2 changed files with 5 additions and 5 deletions

View File

@ -908,10 +908,8 @@ static void test_AccessCheck(void)
PrivSet, &PrivSetLen, &Access, &AccessStatus); PrivSet, &PrivSetLen, &Access, &AccessStatus);
ok(ret, "AccessCheck failed with error %d\n", GetLastError()); ok(ret, "AccessCheck failed with error %d\n", GetLastError());
err = GetLastError(); err = GetLastError();
todo_wine
ok(!AccessStatus && err == ERROR_ACCESS_DENIED, "AccessCheck should have failed " ok(!AccessStatus && err == ERROR_ACCESS_DENIED, "AccessCheck should have failed "
"with ERROR_ACCESS_DENIED, instead of %d\n", err); "with ERROR_ACCESS_DENIED, instead of %d\n", err);
todo_wine
ok(!Access, "Should have failed to grant any access, got 0x%08x\n", Access); ok(!Access, "Should have failed to grant any access, got 0x%08x\n", Access);
CloseHandle(Token); CloseHandle(Token);

View File

@ -895,11 +895,15 @@ static unsigned int token_access_check( struct token *token,
/* 4: Grant rights according to the DACL */ /* 4: Grant rights according to the DACL */
ace = (const ACE_HEADER *)(dacl + 1); ace = (const ACE_HEADER *)(dacl + 1);
for (i = 0; i < dacl->AceCount; i++) for (i = 0; i < dacl->AceCount; i++, ace = ace_next( ace ))
{ {
const ACCESS_ALLOWED_ACE *aa_ace; const ACCESS_ALLOWED_ACE *aa_ace;
const ACCESS_DENIED_ACE *ad_ace; const ACCESS_DENIED_ACE *ad_ace;
const SID *sid; const SID *sid;
if (ace->AceFlags & INHERIT_ONLY_ACE)
continue;
switch (ace->AceType) switch (ace->AceType)
{ {
case ACCESS_DENIED_ACE_TYPE: case ACCESS_DENIED_ACE_TYPE:
@ -937,8 +941,6 @@ static unsigned int token_access_check( struct token *token,
* rights we need */ * rights we need */
if (desired_access == *granted_access) if (desired_access == *granted_access)
break; break;
ace = ace_next( ace );
} }
done: done: