ptserver: Fix AccessOK -restricted for SYSADMINID 73/13373/2
authorAndrew Deason <adeason@sinenomine.net>
Sat, 3 Nov 2018 05:58:58 +0000 (00:58 -0500)
committerBenjamin Kaduk <kaduk@mit.edu>
Wed, 6 Feb 2019 02:13:04 +0000 (21:13 -0500)
commit3a8fa4ecd65d5d743fdc573c9f0f261aee2063b6
treeb0d9ebf3c845a0e4dcd809c41d2795f5e1c330c5
parentdfc78d533ef64c8d6daf134e2a0f67c5c16f7369
ptserver: Fix AccessOK -restricted for SYSADMINID

According to the documentation, as well as other code paths that check
for -restricted, the -restricted option does not affect members of
system:administrators. Currently, though, AccessOK only bypasses the
-restricted check if the caller is SYSADMINID itself (i.e. localauth).

Fix AccessOK to only do the -restricted checks if the caller is not in
system:administrators, to match the documentation as well as other
ptserver operations.

Change-Id: I3074d4537845f1f4deb7f4b72cdb819391b617e3
Reviewed-on: https://gerrit.openafs.org/13373
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
src/ptserver/ptutils.c