From 6abfcffc70b988af7e7cf0e3c2e0916e4e583ffb Mon Sep 17 00:00:00 2001
From: Phil <schwartzmx@gmail.com>
Date: Thu, 18 Jun 2015 17:25:05 -0500
Subject: [PATCH] check if the rule exists or not before allow/deny rules are
 added/removed, and fixes where result changed would be true on all
 executions.

---
 .../modules/extras/windows/win_acl.ps1        | 37 ++++++++++++++-----
 lib/ansible/modules/extras/windows/win_acl.py |  2 +-
 2 files changed, 29 insertions(+), 10 deletions(-)

diff --git a/lib/ansible/modules/extras/windows/win_acl.ps1 b/lib/ansible/modules/extras/windows/win_acl.ps1
index 320627c03f0..130b17e8304 100644
--- a/lib/ansible/modules/extras/windows/win_acl.ps1
+++ b/lib/ansible/modules/extras/windows/win_acl.ps1
@@ -1,7 +1,7 @@
 #!powershell
 # This file is part of Ansible
 #
-# Copyright 2014, Phil Schwartz <schwartzmx@gmail.com>
+# Copyright 2015, Phil Schwartz <schwartzmx@gmail.com>
 #
 # Ansible is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -118,26 +118,45 @@ Try {
     $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
     $objACL = Get-ACL $src
 
-    If ($state -eq "add") {
+    # Check if the ACE exists already in the objects ACL list
+    $match = $false
+    ForEach($rule in $objACL.Access){
+        If (($rule.FileSystemRights -eq $objACE.FileSystemRights) -And ($rule.AccessControlType -eq $objACE.AccessControlType) -And ($rule.IdentityReference -eq $objACE.IdentityReference) -And ($rule.IsInherited -eq $objACE.IsInherited) -And ($rule.InheritanceFlags -eq $objACE.InheritanceFlags) -And ($rule.PropagationFlags -eq $objACE.PropagationFlags)) { 
+            $match = $true
+            Break
+        } 
+    }
+
+    If ($state -eq "add" -And $match -eq $false) {
         Try {
             $objACL.AddAccessRule($objACE)
+            Set-ACL $src $objACL
+            $result.changed = $true
         }
         Catch {
-            Fail-Json $result "an exception occured when adding the specified rule.  it may already exist."
+            Fail-Json $result "an exception occured when adding the specified rule"
         }
     }
-    Else {
+    ElseIf ($state -eq "remove" -And $match -eq $true) {
         Try {
             $objACL.RemoveAccessRule($objACE)
+            Set-ACL $src $objACL
+            $result.changed = $true
         }
         Catch {
-            Fail-Json $result "an exception occured when removing the specified rule.  it may not exist."
+            Fail-Json $result "an exception occured when removing the specified rule"
         }
     }
-
-    Set-ACL $src $objACL
-
-    $result.changed = $true
+    Else {
+        # A rule was attempting to be added but already exists
+        If ($match -eq $true) {
+            Exit-Json $result "the specified rule already exists"
+        }
+        # A rule didn't exist that was trying to be removed
+        Else {
+            Exit-Json $result "the specified rule does not exist"
+        }       
+    }
 }
 Catch {
     Fail-Json $result "an error occured when attempting to $state $rights permission(s) on $src for $user"
diff --git a/lib/ansible/modules/extras/windows/win_acl.py b/lib/ansible/modules/extras/windows/win_acl.py
index 56f8c84d0db..96cfc5751b9 100644
--- a/lib/ansible/modules/extras/windows/win_acl.py
+++ b/lib/ansible/modules/extras/windows/win_acl.py
@@ -1,7 +1,7 @@
 #!/usr/bin/python
 # -*- coding: utf-8 -*-
 
-# (c) 2014, Phil Schwartz <schwartzmx@gmail.com>
+# (c) 2015, Phil Schwartz <schwartzmx@gmail.com>
 #
 # This file is part of Ansible
 #