summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTomas Babej <tbabej@redhat.com>2015-07-23 14:00:06 +0200
committerTomas Babej <tbabej@redhat.com>2015-07-23 15:37:01 +0200
commitaa066f31a5341079197f7b5a79fe2fa1045688bb (patch)
treefd9a57e6074e37a953b8a2172c1346bdc007992a
parente0d3231f07426b193f2f4e1a9e9f31494a5c39b1 (diff)
downloadfreeipa-aa066f31a5341079197f7b5a79fe2fa1045688bb.zip
freeipa-aa066f31a5341079197f7b5a79fe2fa1045688bb.tar.gz
freeipa-aa066f31a5341079197f7b5a79fe2fa1045688bb.tar.xz
idviews: Enforce objectclass check in idoverride*-del
Even with anchor to sid type checking, it would be still possible to delete a user ID override by specifying a group raw anchor and vice versa. This patch introduces a objectclass check in idoverride*-del commands to prevent that. https://fedorahosted.org/freeipa/ticket/5029 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-rw-r--r--ipalib/plugins/idviews.py19
1 files changed, 19 insertions, 0 deletions
diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py
index 4d1aefe..cf5c9b5 100644
--- a/ipalib/plugins/idviews.py
+++ b/ipalib/plugins/idviews.py
@@ -718,6 +718,25 @@ class baseidoverride_del(LDAPDelete):
takes_options = LDAPDelete.takes_options + (fallback_to_ldap_option,)
+ def pre_callback(self, ldap, dn, *keys, **options):
+ assert isinstance(dn, DN)
+
+ # Make sure the entry we're deleting has all the objectclasses
+ # this object requires
+ try:
+ entry = ldap.get_entry(dn, ['objectclass'])
+ except errors.NotFound:
+ self.obj.handle_not_found(*keys)
+
+ required_object_classes = set(self.obj.object_class)
+ actual_object_classes = set(entry['objectclass'])
+
+ # If not, treat it as a failed search
+ if not required_object_classes.issubset(actual_object_classes):
+ self.obj.handle_not_found(*keys)
+
+ return dn
+
class baseidoverride_mod(LDAPUpdate):
__doc__ = _('Modify an ID override.')