From b0bfae266a77e52ffe1b2f7951931c9f7ae6a335 Mon Sep 17 00:00:00 2001
From: Ludwig Krispenz <lkrispen@redhat.com>
Date: Wed, 22 Nov 2017 17:12:16 +0100
Subject: [PATCH] Ticket 48278 - GetEffectiveRights gives false-negative

Bug: the get effective rights  chack for non existing entries did not work

Fix: make sure that the code path to create template entries
    to check effective rights is executed

Reviewed by: ?
---
 ldap/servers/slapd/opshared.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/ldap/servers/slapd/opshared.c b/ldap/servers/slapd/opshared.c
index 2415712..c552e73 100644
--- a/ldap/servers/slapd/opshared.c
+++ b/ldap/servers/slapd/opshared.c
@@ -1236,8 +1236,7 @@ iterate(Slapi_PBlock *pb, Slapi_Backend *be, int send_result, int *pnentries, in
         slapi_pblock_get(pb, SLAPI_SEARCH_RESULT_ENTRY, &e);
 
         /* Check for possible get_effective_rights control */
-        if (e) {
-            if (operation->o_flags & OP_FLAG_GET_EFFECTIVE_RIGHTS) {
+        if (operation->o_flags & OP_FLAG_GET_EFFECTIVE_RIGHTS) {
                 char *errbuf = NULL;
                 char **gerattrs = NULL;
                 char **gerattrsdup = NULL;
@@ -1253,6 +1252,15 @@ iterate(Slapi_PBlock *pb, Slapi_Backend *be, int send_result, int *pnentries, in
                     done = 1;
                     continue;
                 }
+                if ( e == NULL ) {
+                    /* we have no more entries
+                     * but we might create a template entry for GER
+                     * so we need to continue, but make sure to stop
+                     * after handling the template entry
+                     */
+                   done = 1;
+                   pr_stat = PAGEDRESULTS_SEARCH_END;
+                }
 
                 slapi_pblock_get(pb, SLAPI_SEARCH_GERATTRS, &gerattrs);
                 gerattrsdup = cool_charray_dup(gerattrs);
@@ -1352,7 +1360,8 @@ iterate(Slapi_PBlock *pb, Slapi_Backend *be, int send_result, int *pnentries, in
                  * more entries to return or not. */
                     pr_stat = PAGEDRESULTS_PAGE_END;
                 }
-            } else { /* not GET_EFFECTIVE_RIGHTS */
+        /* not GET_EFFECTIVE_RIGHTS */
+        } else if (e) {
                 if (PAGEDRESULTS_PAGE_END == pr_stat) {
                     /*
                  * read ahead -- there is at least more entry.
@@ -1403,7 +1412,6 @@ iterate(Slapi_PBlock *pb, Slapi_Backend *be, int send_result, int *pnentries, in
                  * more entries to return or not. */
                     pr_stat = PAGEDRESULTS_PAGE_END;
                 }
-            }
         } else {
             /* no more entries */
             done = 1;
-- 
2.5.5