1 files changed, 19 insertions, 6 deletions

diff --git a/ldap/test-user-acl.sh b/ldap/test-user-acl.sh
index 1dda3dc..7046716 100755
--- a/ldap/test-user-acl.sh
+++ b/ldap/test-user-acl.sh
@@ -238,6 +238,7 @@ echo "Authenticated users, access to domain entries"
 #       +w if owner or postmaster
 # * fripostPendingToken
 #       =zscd if owner or postmaster
+#       =s for all if there is no pending token
 # * fripostCanAddAlias
 #       =rscd if canAddAlias, owner or postmaster
 #       +w if postmaster
@@ -274,22 +275,34 @@ usersD fripostOwner/add fripostOwner/delete \
 [ $? -eq 0 ] || exit $?
 
 
-msg "Have =0 rights on the \"pending\" status (unless owner or postmaster)"
+msg "Have =s rights on the \"pending\" status if absent"
 for U in ${USERS}; do
     for D in ${DOMAINS}; do
-        search -s base -b "${D},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX})
-                                              (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \
+        search -s base -b "${D},${SUFFIX}" "(!(fripostPendingToken=*))" | grep -q '^dn: ' && \
+        checkACL "${U}" "${D}" fripostPendingToken
+    done
+done | isOK '=s$'
+[ $? -eq 0 ] || exit $?
+
+
+msg "Have =0 rights on the \"pending\" status if present (unless owner or postmaster)"
+for U in ${USERS}; do
+    for D in ${DOMAINS}; do
+        search -s base -b "${D},${SUFFIX}" "(&(!(|(fripostOwner=${U},${SUFFIX})
+                                                  (fripostPostmaster=${U},${SUFFIX})))
+                                              (fripostPendingToken=*))" | grep -q '^dn: ' && \
         checkACL "${U}" "${D}" fripostPendingToken
     done
 done | isOK '=0$'
 [ $? -eq 0 ] || exit $?
 
 
-msg "Have =zscd access on the \"pending\" status (if owner or postmaster)"
+msg "Have =zscd access on the \"pending\" status if present (if owner or postmaster)"
 for U in ${USERS}; do
     for D in ${DOMAINS}; do
-        search -s base -b "${D},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX})
-                                              (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' && \
+        search -s base -b "${D},${SUFFIX}" "(&(|(fripostOwner=${U},${SUFFIX})
+                                                (fripostPostmaster=${U},${SUFFIX}))
+                                              (fripostPendingToken=*))" | grep -q '^dn: ' && \
         checkACL "${U}" "${D}" fripostPendingToken
     done
 done | isOK '=zscd$'