server: Ignore ACEs with the INHERIT_ONLY_ACE flag set during access checks.

e51f8490 · Rob Shearman · Alexandre Julliard · 340122ab · e51f8490 · e51f8490
Commit e51f8490 authored Oct 25, 2007 by Rob Shearman Committed by Alexandre Julliard Oct 26, 2007
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 5 deletions

security.c dlls/advapi32/tests/security.c +0 -2

token.c server/token.c +5 -3

No files found.
--- a/dlls/advapi32/tests/security.c
+++ b/dlls/advapi32/tests/security.c
@@ -908,10 +908,8 @@ static void test_AccessCheck(void)
                      PrivSet, &PrivSetLen, &Access, &AccessStatus);
    ok(ret, "AccessCheck failed with error %d\n", GetLastError());
    err = GetLastError();
-    todo_wine
    ok(!AccessStatus && err == ERROR_ACCESS_DENIED, "AccessCheck should have failed "
       "with ERROR_ACCESS_DENIED, instead of %d\n", err);
-    todo_wine
    ok(!Access, "Should have failed to grant any access, got 0x%08x\n", Access);

    CloseHandle(Token);

--- a/server/token.c
+++ b/server/token.c
@@ -895,11 +895,15 @@ static unsigned int token_access_check( struct token *token,

    /* 4: Grant rights according to the DACL */
    ace = (const ACE_HEADER *)(dacl + 1);
-    for (i = 0; i < dacl->AceCount; i++)
+    for (i = 0; i < dacl->AceCount; i++, ace = ace_next( ace ))
    {
        const ACCESS_ALLOWED_ACE *aa_ace;
        const ACCESS_DENIED_ACE *ad_ace;
        const SID *sid;
+
+        if (ace->AceFlags & INHERIT_ONLY_ACE)
+            continue;
+
        switch (ace->AceType)
        {
        case ACCESS_DENIED_ACE_TYPE:
@@ -937,8 +941,6 @@ static unsigned int token_access_check( struct token *token,
            * rights we need */
        if (desired_access == *granted_access)
            break;
-
-        ace = ace_next( ace );
    }

 done: