diff options
author | Petr Viktorin <pviktori@redhat.com> | 2012-06-29 07:24:14 -0400 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2012-07-02 08:31:03 +0200 |
commit | 03f247ec863eaafa1a760d520eaed91120d522de (patch) | |
tree | cf93c7de644b7bc85b13a08a789a624f222a9325 | |
parent | 50ebd1a339f16c147153bfdb2ee78eb51e9b5d0c (diff) | |
download | freeipa-03f247ec863eaafa1a760d520eaed91120d522de.tar.gz freeipa-03f247ec863eaafa1a760d520eaed91120d522de.tar.xz freeipa-03f247ec863eaafa1a760d520eaed91120d522de.zip |
Explicitly filter options that permission-{add,mod} passes to aci-{add,mod}
Make permission commands not pass options that the underlying ACI commands
do not understand.
Update tests.
Remove some extraneous imports of the `copy` module.
https://fedorahosted.org/freeipa/ticket/2885
-rw-r--r-- | ipalib/plugins/delegation.py | 1 | ||||
-rw-r--r-- | ipalib/plugins/permission.py | 19 | ||||
-rw-r--r-- | ipalib/plugins/selfservice.py | 2 | ||||
-rw-r--r-- | ipalib/plugins/user.py | 1 | ||||
-rw-r--r-- | tests/test_xmlrpc/test_permission_plugin.py | 11 |
5 files changed, 19 insertions, 15 deletions
diff --git a/ipalib/plugins/delegation.py b/ipalib/plugins/delegation.py index f602507bd..0f3eecd7b 100644 --- a/ipalib/plugins/delegation.py +++ b/ipalib/plugins/delegation.py @@ -18,7 +18,6 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. -import copy from ipalib import api, _, ngettext from ipalib import Flag, Str from ipalib.request import context diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index ec3d78d1b..89f9eaa62 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -17,8 +17,6 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. -import copy - from ipalib.plugins.baseldap import * from ipalib import api, _, ngettext from ipalib import Flag, Str, StrEnum @@ -189,6 +187,11 @@ class permission(LDAPObject): return False return True + def filter_aci_attributes(self, options): + """Return option dictionary that only includes ACI attributes""" + return dict((k, v) for k, v in options.items() if + k in self.aci_attributes) + api.register(permission) @@ -200,7 +203,7 @@ class permission_add(LDAPCreate): def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): # Test the ACI before going any further - opts = copy.copy(options) + opts = self.obj.filter_aci_attributes(options) opts['test'] = True opts['permission'] = keys[-1] opts['aciprefix'] = ACI_PREFIX @@ -217,7 +220,7 @@ class permission_add(LDAPCreate): def post_callback(self, ldap, dn, entry_attrs, *keys, **options): # Now actually add the aci. - opts = copy.copy(options) + opts = self.obj.filter_aci_attributes(options) opts['test'] = False opts['permission'] = keys[-1] opts['aciprefix'] = ACI_PREFIX @@ -340,9 +343,7 @@ class permission_mod(LDAPUpdate): raise errors.ValidationError( name='rename',error=_('New name can not be empty')) - opts = copy.copy(options) - for o in ['all', 'raw', 'rights', 'test', 'rename']: - opts.pop(o, None) + opts = self.obj.filter_aci_attributes(options) setattr(context, 'aciupdate', False) # If there are no options left we don't need to do anything to the # underlying ACI. @@ -434,13 +435,11 @@ class permission_find(LDAPSearch): # Now find all the ACIs that match. Once we find them, add any that # aren't already in the list along with their permission info. - opts = copy.copy(options) + opts = self.obj.filter_aci_attributes(options) if aciname: opts['aciname'] = aciname opts['aciprefix'] = ACI_PREFIX # permission ACI attribute is needed - opts.pop('raw', None) - opts.pop('sizelimit', None) aciresults = self.api.Command.aci_find(*args, **opts) truncated = truncated or aciresults['truncated'] results = aciresults['result'] diff --git a/ipalib/plugins/selfservice.py b/ipalib/plugins/selfservice.py index 82f2a0cc0..2b1048854 100644 --- a/ipalib/plugins/selfservice.py +++ b/ipalib/plugins/selfservice.py @@ -17,8 +17,6 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. -import copy - from ipalib import api, _, ngettext from ipalib import Flag, Str from ipalib.request import context diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 7e98bba4c..c19d9a666 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -19,7 +19,6 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. from time import gmtime, strftime, strptime -import copy import string from ipalib import api, errors diff --git a/tests/test_xmlrpc/test_permission_plugin.py b/tests/test_xmlrpc/test_permission_plugin.py index 847b03e58..8aaa4a999 100644 --- a/tests/test_xmlrpc/test_permission_plugin.py +++ b/tests/test_xmlrpc/test_permission_plugin.py @@ -304,6 +304,8 @@ class test_permission(Declarative): 'permission_add', [permission2], dict( type=u'user', permissions=u'write', + setattr=u'owner=cn=test', + addattr=u'owner=cn=test2', ) ), expected=dict( @@ -315,6 +317,7 @@ class test_permission(Declarative): objectclass=objectclasses.permission, type=u'user', permissions=[u'write'], + owner=[u'cn=test', u'cn=test2'], ), ), ), @@ -482,7 +485,12 @@ class test_permission(Declarative): dict( desc='Update %r' % permission1, command=( - 'permission_mod', [permission1], dict(permissions=u'read', memberof=u'ipausers') + 'permission_mod', [permission1], dict( + permissions=u'read', + memberof=u'ipausers', + setattr=u'owner=cn=other-test', + addattr=u'owner=cn=other-test2', + ) ), expected=dict( value=permission1, @@ -494,6 +502,7 @@ class test_permission(Declarative): type=u'user', permissions=[u'read'], memberof=u'ipausers', + owner=[u'cn=other-test', u'cn=other-test2'], ), ), ), |