diff options
| author | Tomas Babej <tbabej@redhat.com> | 2013-02-11 10:19:53 +0100 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2013-02-19 16:56:46 -0500 |
| commit | 5b64cde92a84c2e8ad2f99fd139fa5d13598b096 (patch) | |
| tree | 74e4af133106b4e2e55ef3a2258bf62c4837c656 | |
| parent | 462beacc9d13968128fa320d155016df2d72a20a (diff) | |
| download | freeipa-5b64cde92a84c2e8ad2f99fd139fa5d13598b096.tar.gz freeipa-5b64cde92a84c2e8ad2f99fd139fa5d13598b096.tar.xz freeipa-5b64cde92a84c2e8ad2f99fd139fa5d13598b096.zip | |
Prevent changing protected group's name using --setattr
The name of any protected group now cannot be changed by modifing
the cn attribute using --setattr. Unit tests have been added to
make sure there is no regression.
https://fedorahosted.org/freeipa/ticket/3354
| -rw-r--r-- | ipalib/plugins/group.py | 2 | ||||
| -rw-r--r-- | tests/test_xmlrpc/test_group_plugin.py | 15 |
2 files changed, 16 insertions, 1 deletions
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index 19404c6fa..4994dacb3 100644 --- a/ipalib/plugins/group.py +++ b/ipalib/plugins/group.py @@ -265,7 +265,7 @@ class group_mod(LDAPUpdate): is_protected_group = keys[-1] in PROTECTED_GROUPS - if 'rename' in options: + if 'rename' in options or 'cn' in entry_attrs: if is_protected_group: raise errors.ProtectedEntryError(label=u'group', key=keys[-1], reason=u'Cannot be renamed') diff --git a/tests/test_xmlrpc/test_group_plugin.py b/tests/test_xmlrpc/test_group_plugin.py index a74a5e4c3..2d6d2014a 100644 --- a/tests/test_xmlrpc/test_group_plugin.py +++ b/tests/test_xmlrpc/test_group_plugin.py @@ -879,6 +879,13 @@ class test_group(Declarative): ), dict( + desc='Try to rename the admins group via setattr', + command=('group_mod', [u'admins'], {'setattr': u'cn=loosers'}), + expected=errors.ProtectedEntryError(label=u'group', + key='admins', reason='Cannot be renamed'), + ), + + dict( desc='Try to modify the admins group to support external membership', command=('group_mod', [u'admins'], dict(external=True)), expected=errors.ProtectedEntryError(label=u'group', @@ -900,6 +907,14 @@ class test_group(Declarative): ), dict( + desc='Try to rename the trust admins group via setattr', + command=('group_mod', [u'trust admins'], {'setattr': u'cn=loosers'}), + expected=errors.ProtectedEntryError(label=u'group', + key='trust admins', reason='Cannot be renamed'), + ), + + + dict( desc='Try to modify the trust admins group to support external membership', command=('group_mod', [u'trust admins'], dict(external=True)), expected=errors.ProtectedEntryError(label=u'group', |