webui: hide non-readable fields

hide widgets if associated field had received attribute level rights
without 'r' right.

Explicit rights are required to avoid hiding of special widgets which
are not associated with any LDAP attribute.

https://fedorahosted.org/freeipa/ticket/4402

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>

3 files changed, 51 insertions, 2 deletions

diff --git a/install/ui/src/freeipa/FieldBinder.js b/install/ui/src/freeipa/FieldBinder.js
index ed05d2531..7ee8e5874 100644
--- a/install/ui/src/freeipa/FieldBinder.js
+++ b/install/ui/src/freeipa/FieldBinder.js
@@ -121,6 +121,7 @@ define(['dojo/_base/declare',
             this.handle(field, 'require-change', this.on_field_require_change);
             this.handle(field, 'writable-change', this.on_field_writable_change);
             this.handle(field, 'readonly-change', this.on_field_readonly_change);
+            this.handle(field, 'acl-rights-change', this.on_field_acl_rights_change);
             this.handle(field, 'reset', this.on_field_reset);
 
             this.handle(widget, 'value-change', this.on_widget_value_change);
@@ -241,6 +242,18 @@ define(['dojo/_base/declare',
         },
 
         /**
+         * Field acl rights change handler
+         * @protected
+         */
+        on_field_acl_rights_change: function(event) {
+
+            var readable= event.rights.indexOf('r') > -1;
+            if (this.widget.set_readable) {
+                this.widget.set_readable(readable);
+            }
+        },
+
+        /**
          * Field reset handler
          *
          * @param {Object} event
diff --git a/install/ui/src/freeipa/field.js b/install/ui/src/freeipa/field.js
index ea22d6d06..f53c6c1d0 100644
--- a/install/ui/src/freeipa/field.js
+++ b/install/ui/src/freeipa/field.js
@@ -106,6 +106,16 @@ field.field = IPA.field = function(spec) {
     that.acl_param = spec.acl_param || that.param;
 
     /**
+     * Rights which determines what operation can do with this field or
+     * attribute.
+     *
+     * E.g., 'rscwo' - read, search, compare, write(mod-add), obliterate(mod-del)
+     *
+     * @property {string}
+     */
+    that.acl_rights = spec.acl_rights || 'r';
+
+    /**
      * Label
      * @property {string}
      */
@@ -449,6 +459,7 @@ field.field = IPA.field = function(spec) {
     that.load_writable = function(record) {
 
         var writable = true;
+        var old = that.acl_rights;
 
         function has_write(record, param) {
             var rights = record.attributelevelrights[param];
@@ -466,11 +477,17 @@ field.field = IPA.field = function(spec) {
             }
         }
 
-        if (record && record.attributelevelrights && writable) {
+        if (record && record.attributelevelrights) {
             var rights = record.attributelevelrights[that.acl_param];
             var write_attr = has_write(record, that.acl_param);
+            var all_rights = record.attributelevelrights['*'];
             var write_all = has_write(record, '*');
 
+            // don't assume any value if the rights are not defined, keep the original
+            if (rights !== undefined || all_rights !== undefined) {
+                that.acl_rights = rights || all_rights || '';
+            }
+
             // Some objects in LDAP may not have proper object class set and
             // therefore server doesn't send proper attribute rights. Flag
             // 'w_if_no_aci' should be used when we want to ensure that UI
@@ -480,10 +497,13 @@ field.field = IPA.field = function(spec) {
             var may_add_oc = !rights && write_oc && that.flags.indexOf('w_if_no_aci') > -1;
 
             // If no rights, change writable to False:
-            writable = write_attr || write_all || may_add_oc;
+            writable = writable && (write_attr || write_all || may_add_oc);
         }
 
         that.set_writable(writable);
+        if (old !== that.acl_rights) {
+            that.emit('acl-rights-change', { source: that, rights: that.acl_rights, old: old });
+        }
     };
 
     /**
diff --git a/install/ui/src/freeipa/widget.js b/install/ui/src/freeipa/widget.js
index d5837e7ea..252fe0208 100644
--- a/install/ui/src/freeipa/widget.js
+++ b/install/ui/src/freeipa/widget.js
@@ -406,6 +406,9 @@ IPA.input_widget = function(spec) {
      */
     that.ctor_init = function() {
         on(that, 'value-change', that.hide_if_empty);
+        on(that, 'readable-change', function() {
+            that.set_visible();
+        });
     };
 
     /**
@@ -641,9 +644,22 @@ IPA.input_widget = function(spec) {
         if (that.has_value === false && !that.is_writable() && that.hidden_if_empty) {
             visible = false;
         }
+        if (that.readable !== undefined) {
+            visible = visible && that.readable;
+        }
         return visible;
     };
 
+    that.set_readable = function(readable) {
+
+        var old = that.readable;
+        that.readable = readable;
+
+        if (old !== that.readable) {
+            that.emit('readable-change', { source: that, readable: readable });
+        }
+    };
+
     /**
      * Widget is writable
      * @return {boolean}