advapi32: Don't revoke ACCESS_DENIED_ACE.

REVOKE_ACCESS is only documented to remove ACCESS_ALLOWED_ACE and SYSTEM_AUDIT_ACE. Signed-off-by: Adam Gashlin <agashlin@gmail.com> Signed-off-by: Alexandre Julliard <julliard@winehq.org>

advapi32: Don't revoke ACCESS_DENIED_ACE.
23ffd0a7 · Adam Gashlin · Alexandre Julliard · 6dd96842 · 23ffd0a7 · 23ffd0a7
Commit 23ffd0a7 authored Mar 01, 2021 by Adam Gashlin Committed by Alexandre Julliard Mar 15, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 27 additions and 2 deletions

security.c dlls/advapi32/security.c +1 -2

security.c dlls/advapi32/tests/security.c +26 -0

No files found.
--- a/dlls/advapi32/security.c
+++ b/dlls/advapi32/security.c
@@ -2314,8 +2314,7 @@ DWORD WINAPI SetEntriesInAclW( ULONG count, PEXPLICIT_ACCESSW pEntries,
                            add = FALSE;
                        break;
                    case ACCESS_DENIED_ACE_TYPE:
-                        if (EqualSid(ppsid[j], &((ACCESS_DENIED_ACE *)old_ace_header)->SidStart))
-                            add = FALSE;
+                        /* REVOKE_ACCESS does not affect ACCESS_DENIED_ACE. */
                        break;
                    case SYSTEM_AUDIT_ACE_TYPE:
                        if (EqualSid(ppsid[j], &((SYSTEM_AUDIT_ACE *)old_ace_header)->SidStart))

--- a/dlls/advapi32/tests/security.c
+++ b/dlls/advapi32/tests/security.c
@@ -7437,6 +7437,32 @@ static void test_GetExplicitEntriesFromAclW(void)
    ok(access2 == NULL, "access2 was not NULL\n");
    LocalFree(new_acl);

+    /* Make the ACL both Allow and Deny Everyone. */
+    res = AddAccessAllowedAce(old_acl, ACL_REVISION, KEY_READ, everyone_sid);
+    ok(res, "AddAccessAllowedAce failed with error %d\n", GetLastError());
+    res = AddAccessDeniedAce(old_acl, ACL_REVISION, KEY_WRITE, everyone_sid);
+    ok(res, "AddAccessDeniedAce failed with error %d\n", GetLastError());
+    /* Revoke Everyone. */
+    access.Trustee.ptstrName = everyone_sid;
+    access.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
+    access.grfAccessPermissions = 0;
+    new_acl = NULL;
+    res = pSetEntriesInAclW(1, &access, old_acl, &new_acl);
+    ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
+    ok(new_acl != NULL, "returned acl was NULL\n");
+    /* Deny Everyone should remain (along with Grant Users from earlier). */
+    access2 = NULL;
+    res = pGetExplicitEntriesFromAclW(new_acl, &count, &access2);
+    ok(res == ERROR_SUCCESS, "GetExplicitEntriesFromAclW failed with error %d\n", GetLastError());
+    ok(count == 2, "Expected count == 2, got %d\n", count);
+    ok(access2[0].grfAccessMode == GRANT_ACCESS, "Expected GRANT_ACCESS, got %d\n", access2[0].grfAccessMode);
+    ok(access2[0].grfAccessPermissions == KEY_READ , "Expected KEY_READ, got %d\n", access2[0].grfAccessPermissions);
+    ok(EqualSid(access2[0].Trustee.ptstrName, users_sid), "Expected equal SIDs\n");
+    ok(access2[1].grfAccessMode == DENY_ACCESS, "Expected DENY_ACCESS, got %d\n", access2[1].grfAccessMode);
+    ok(access2[1].grfAccessPermissions == KEY_WRITE, "Expected KEY_WRITE, got %d\n", access2[1].grfAccessPermissions);
+    ok(EqualSid(access2[1].Trustee.ptstrName, everyone_sid), "Expected equal SIDs\n");
+    LocalFree(access2);
+
    FreeSid(users_sid);
    FreeSid(everyone_sid);
    HeapFree(GetProcessHeap(), 0, old_acl);