>From 23f9aeeb1131b8ab08a3c308f31affde05299ee8 Mon Sep 17 00:00:00 2001
From: Matthieu Patou <mat@matws.net>
Date: Sat, 13 Oct 2012 13:46:58 -0700
Subject: [PATCH] dsdb-acls: Add documentation

Add documentation on ACLs.
---
 source4/dsdb/samdb/ldb_modules/acl_util.c |   61 ++++++++++++++++++++++++++++-
 1 file changed, 59 insertions(+), 2 deletions(-)

diff --git a/source4/dsdb/samdb/ldb_modules/acl_util.c b/source4/dsdb/samdb/ldb_modules/acl_util.c
index 50bf888..7c295c7 100644
--- a/source4/dsdb/samdb/ldb_modules/acl_util.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_util.c
@@ -90,6 +90,38 @@ int dsdb_module_check_access_on_dn(struct ldb_module *module,
 						guid);
 }
 
+/**
+ * @brief Checks the current as the requested access on 1 attribute
+ *
+ * This function checks if a given trustee has the requested access
+ * on the specified attribute given the current security descriptor.
+ * The attribute can be NULL in this case the check will skip the
+ * OBJECT_ACE entries.
+ *
+ * @param[in]  module      A struct ldb_module object, security token
+ *                         for the current user are stored within the
+ *                         module object.
+ *
+ * @param[in]  mem_ctx     A talloc context object for memory allocation
+ *
+ * @param[in]  sd          A security descriptor for attr
+ *
+ * @param[in]  rp_sid      The SID of the domain, used for expanding
+ *                         trustee in ACE that are just a RID.
+ *
+ * @param[in]  access_mask An integer that represents the desired access
+ *                         that the security descriptor should grant to
+ *                         the user on the given attribute
+ *
+ * @param[in]  attr        A dsdb_attribute for which the checks should be
+ *                         performed.
+ *
+ * @return                 Returns LDB_SUCCESS on success, on error another
+ *                         ldb error code.
+ *                         If the requested rights are not granted
+ *                         LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS will be returned.
+ *
+ */
 int acl_check_access_on_attribute(struct ldb_module *module,
 				  TALLOC_CTX *mem_ctx,
 				  struct security_descriptor *sd,
@@ -150,8 +182,33 @@ fail:
 	return ldb_operr(ldb_module_get_ctx(module));
 }
 
-
-/* checks for validated writes */
+/**
+ * @brief Checks if a given extended right grants the desired access for a given user
+ *
+ * This function checks if a given user is granted the specified extended right
+ * with the requested access right.
+ *
+ * @param[in]  mem_ctx     A talloc context object for memory allocation
+ *
+ * @param[in]  sd          A security descriptor for attr
+ *
+ * @param[in]  token       The security token reprensenting the user
+ *
+ * @param[in]  ext_right   A string representation of the GUID of the extended
+ *                         right to test.
+ *
+ * @param[in]  right_typ   An integer that represents the desired access
+ *                         that the security descriptor should grant to
+ *                         the user for the specified extended access right
+ *
+ * @param[in]  dom_sid     The SID of the domain, used for expanding
+ *                         trustee in ACE that are just a RID.
+ *
+ * @return                 Returns LDB_SUCCESS on success, on error another
+ *                         ldb error code.
+ *                         If the requested rights are not granted
+ *                         LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS will be returned.
+ */
 int acl_check_extended_right(TALLOC_CTX *mem_ctx,
 			     struct security_descriptor *sd,
 			     struct security_token *token,
-- 
1.7.9.5