The Samba-Bugzilla – Attachment 3275 Details for
Bug 5095
Manage Documents privilege is not functional
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
look1 (text/plain), 3.10 KB, created by
Jeremy Allison
on 2008-05-05 17:52:29 UTC
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2008-05-05 17:52:29 UTC
Size:
3.10 KB
patch
obsolete
>diff --git a/source/include/rpc_spoolss.h b/source/include/rpc_spoolss.h >index baa1204..fd853fc 100755 >--- a/source/include/rpc_spoolss.h >+++ b/source/include/rpc_spoolss.h >@@ -165,6 +165,7 @@ > #define PRINTER_ACCESS_ADMINISTER 0x00000004 > #define PRINTER_ACCESS_USE 0x00000008 > #define JOB_ACCESS_ADMINISTER 0x00000010 >+#define JOB_ACCESS_READ 0x00000020 > > /* JOB status codes. */ > >@@ -194,10 +195,10 @@ > #define PRINTER_EXECUTE STANDARD_RIGHTS_EXECUTE_ACCESS|PRINTER_ACCESS_USE > > /* Access rights for jobs */ >-#define JOB_ALL_ACCESS STANDARD_RIGHTS_REQUIRED_ACCESS|JOB_ACCESS_ADMINISTER >-#define JOB_READ STANDARD_RIGHTS_READ_ACCESS|JOB_ACCESS_ADMINISTER >-#define JOB_WRITE STANDARD_RIGHTS_WRITE_ACCESS|JOB_ACCESS_ADMINISTER >-#define JOB_EXECUTE STANDARD_RIGHTS_EXECUTE_ACCESS|JOB_ACCESS_ADMINISTER >+#define JOB_ALL_ACCESS STANDARD_RIGHTS_REQUIRED_ACCESS|JOB_ACCESS_ADMINISTER|JOB_ACCESS_READ|PRINTER_ACCESS_USE >+#define JOB_READ STANDARD_RIGHTS_READ_ACCESS|JOB_ACCESS_ADMINISTER|JOB_ACCESS_READ >+#define JOB_WRITE STANDARD_RIGHTS_WRITE_ACCESS|JOB_ACCESS_ADMINISTER|PRINTER_ACCESS_USE >+#define JOB_EXECUTE STANDARD_RIGHTS_EXECUTE_ACCESS|JOB_ACCESS_ADMINISTER|PRINTER_ACCESS_USE > > /* ACE masks for the various print permissions */ > >diff --git a/source/printing/nt_printing.c b/source/printing/nt_printing.c >index 4356cd9..7d58a93 100644 >--- a/source/printing/nt_printing.c >+++ b/source/printing/nt_printing.c >@@ -73,6 +73,15 @@ STANDARD_MAPPING printserver_std_mapping = { > SERVER_ALL_ACCESS > }; > >+/* Map generic permissions to job object specific permissions */ >+ >+const struct generic_mapping job_generic_mapping = { >+ JOB_READ, >+ JOB_WRITE, >+ JOB_EXECUTE, >+ JOB_ALL_ACCESS >+}; >+ > /* We need one default form to support our default printer. Msoft adds the > forms it wants and in the ORDER it wants them (note: DEVMODE papersize is an > array index). Letter is always first, so (for the current code) additions >@@ -5450,6 +5459,17 @@ void map_printer_permissions(SEC_DESC *sd) > } > } > >+void map_job_permissions(SEC_DESC *sd) >+{ >+ int i; >+ >+ for (i = 0; sd->dacl && i < sd->dacl->num_aces; i++) { >+ se_map_generic(&sd->dacl->aces[i].access_mask, >+ &job_generic_mapping); >+ } >+} >+ >+ > /**************************************************************************** > Check a user has permissions to perform the given operation. We use the > permission constants defined in include/rpc_spoolss.h to check the various >@@ -5531,19 +5551,12 @@ BOOL print_access_check(struct current_user *user, int snum, int access_type) > return False; > } > >- /* Now this is the bit that really confuses me. The access >- type needs to be changed from JOB_ACCESS_ADMINISTER to >- PRINTER_ACCESS_ADMINISTER for this to work. Something >- to do with the child (job) object becoming like a >- printer?? -tpot */ >- >- access_type = PRINTER_ACCESS_ADMINISTER; >+ map_job_permissions(secdesc->sec); >+ } else { >+ map_printer_permissions(secdesc->sec); > } >- >- /* Check access */ >- >- map_printer_permissions(secdesc->sec); > >+ /* Check access */ > result = se_access_check(secdesc->sec, user->nt_user_token, access_type, > &access_granted, &status); >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=3275">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 5095
:
2988
| 3275