From: Simon Wilkinson Date: Fri, 22 Jan 2010 21:50:44 +0000 (+0000) Subject: Revert "Fix afs_AccessOK for dropbox case" X-Git-Tag: openafs-devel-1_5_70~5 X-Git-Url: http://git.openafs.org/?p=openafs.git;a=commitdiff_plain;h=637e1eac97c2e9c0f0354cfff1a83deddb4ae24f Revert "Fix afs_AccessOK for dropbox case" This reverts commit 3f89c0feae89e9a255afb8a7f08995412a3f1b79. That change broke the expected semantics of a drop box, by opening up read() access to users to whom it would usually be denied. The expected dropbox behaviour is that whilst anyone can write a file there, only those who are specifically given r permissions may read it. Change-Id: I025cef7cad1031fbed1e914d58a0a515561f3f78 Reviewed-on: http://gerrit.openafs.org/1149 Reviewed-by: Derrick Brashear Tested-by: Derrick Brashear --- diff --git a/src/afs/VNOPS/afs_vnop_access.c b/src/afs/VNOPS/afs_vnop_access.c index f72b6e6..0a31ac8 100644 --- a/src/afs/VNOPS/afs_vnop_access.c +++ b/src/afs/VNOPS/afs_vnop_access.c @@ -148,36 +148,15 @@ afs_AccessOK(struct vcache *avc, afs_int32 arights, struct vrequest *areq, /* Avoid this GetVCache call */ tvc = afs_GetVCache(&dirFid, areq, NULL, NULL); if (tvc) { - if ((arights & (PRSFS_READ | PRSFS_WRITE))) { - /* we may need to grant implicit 'rw' rights if we have - * 'i' on the parent dir and we are the owner, so check - * for 'i' rights in addition, here */ - dirBits = afs_GetAccessBits(tvc, arights | PRSFS_INSERT, areq); - } else { - dirBits = afs_GetAccessBits(tvc, arights, areq); - } + dirBits = afs_GetAccessBits(tvc, arights, areq); afs_PutVCache(tvc); } } else dirBits = 0xffffffff; /* assume OK; this is a race condition */ - if (arights & PRSFS_ADMINISTER) { + if (arights & PRSFS_ADMINISTER) fileBits = afs_GetAccessBits(avc, arights, areq); - - } else if ((dirBits & PRSFS_INSERT) && - ((arights & (PRSFS_READ | PRSFS_WRITE)) & dirBits) != - (arights & (PRSFS_READ | PRSFS_WRITE))) { - - /* if we have 'i' rights in the directory, and we are requesting - * read or write access, AND the directory ACL (dirBits) does not - * already give us the requested read or write access, we need to - * find out if we are the owner for the file ('A' bit), for the - * "throw in R and W if we have I and A" check below */ - - fileBits = afs_GetAccessBits(avc, arights | PRSFS_ADMINISTER, areq); - - } else { + else fileBits = 0; /* don't make call if results don't matter */ - } /* compute basic rights in fileBits, taking A from file bits */ fileBits = @@ -185,8 +164,8 @@ afs_AccessOK(struct vcache *avc, afs_int32 arights, struct vrequest *areq, /* for files, throw in R and W if have I and A (owner). This makes * insert-only dirs work properly */ - /* note that we know vType(avc) != VDIR from the top-level 'else' */ - if ((fileBits & (PRSFS_ADMINISTER | PRSFS_INSERT)) == + if (vType(avc) != VDIR + && (fileBits & (PRSFS_ADMINISTER | PRSFS_INSERT)) == (PRSFS_ADMINISTER | PRSFS_INSERT)) fileBits |= (PRSFS_READ | PRSFS_WRITE);