Don't allow a group to be a member of itself.

434542

2 files changed, 10 insertions, 1 deletions

diff --git a/ipa-python/ipaerror.py b/ipa-python/ipaerror.py
index 34837face..570cbb938 100644
--- a/ipa-python/ipaerror.py
+++ b/ipa-python/ipaerror.py
@@ -138,6 +138,11 @@ INPUT_INVALID_PARAMETER = gen_error_code(
         0x0001,
         "Invalid parameter(s)")
 
+INPUT_SAME_GROUP = gen_error_code(
+        INPUT_CATEGORY,
+        0x0002,
+        "You can't add a group to itself")
+
 #
 # Connection errors
 #
diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py
index 7634b5951..37523308f 100644
--- a/ipa-server/xmlrpc-server/funcs.py
+++ b/ipa-server/xmlrpc-server/funcs.py
@@ -1258,6 +1258,8 @@ class IPAServer:
         """
         if not member_dn or not group_dn:
             raise ipaerror.gen_exception(ipaerror.INPUT_INVALID_PARAMETER)
+        if member_dn.lower() == group_dn.lower():
+            raise ipaerror.gen_exception(ipaerror.INPUT_SAME_GROUP)
 
         old_group = self.get_entry_by_dn(group_dn, None, opts)
         if old_group is None:
@@ -1591,13 +1593,15 @@ class IPAServer:
         return res
 
     def add_group_to_group(self, group, tgroup, opts=None):
-        """Add a user to an existing group.
+        """Add a group to an existing group.
            group is a DN of the group to add
            tgroup is the DN of the target group to be added to
         """
 
         if not group or not tgroup:
             raise ipaerror.gen_exception(ipaerror.INPUT_INVALID_PARAMETER)
+        if group.lower() == tgroup.lower():
+            raise ipaerror.gen_exception(ipaerror.INPUT_SAME_GROUP)
         old_group = self.get_entry_by_dn(tgroup, None, opts)
         if old_group is None:
             raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND)