Reject proxied users in acl_access_check. (Meaning a

proxy-authenticated user can never modify a capacl list.)

diff --git a/server/qsupport.pc b/server/qsupport.pc
index 04f741c01802251138a276ad7b6ac6286ad383f1..f5957a880185d39d66ea69e4e05e360b4e201699 100644 (file)
--- a/server/qsupport.pc
+++ b/server/qsupport.pc
@@ -445,8 +445,11 @@ int delete_member_from_list(struct query *q, char **argv, client *cl)
 }
 
 
-/* Don't allow someone to add someone to a list which is the acl of a query
-   unless they're on the list acl, even if they're on the query acl! */
+/* Don't allow someone to add someone to a list which is the acl of a
+ * query unless they're on the list acl, even if they're on the amtl
+ * query acl! Also, don't allow someone proxying to add someone to a
+ * capacl.
+ */
 int acl_access_check(int list_id, client *cl)
 {
   EXEC SQL BEGIN DECLARE SECTION;
@@ -467,6 +470,9 @@ int acl_access_check(int list_id, client *cl)
   if (c1 == 0 && c2 == 0)
     return 0;
 
+  if (cl->proxy_id)
+    return 1;
+
   EXEC SQL SELECT acl_type, acl_id INTO :acl_type, :acl_id
     FROM list WHERE list_id=:lid;
   return !find_member(acl_type, acl_id, cl);