In the UI we don't want to display Edit links unless someone can actually

edit things. We use the 'editors' group for this. This group itself grants
no permission other than displaying certain things in the UI.

In order to be in the editors group a user must be a member of a group that
is the source group in a delegation. The memberof plugin will do all the
hard work to be sure that a user's memberof contains cn=editors if they
are in a delegated group.

432874

2 files changed, 63 insertions, 11 deletions

diff --git a/ipa-server/ipa-gui/ipagui/proxyprovider.py b/ipa-server/ipa-gui/ipagui/proxyprovider.py
index ab45a6db8..5a145de14 100644
--- a/ipa-server/ipa-gui/ipagui/proxyprovider.py
+++ b/ipa-server/ipa-gui/ipagui/proxyprovider.py
@@ -24,6 +24,7 @@ from ipaserver import funcs
 import ipa.config
 import ipa.group
 import ipa.user
+import ldap
 
 log = logging.getLogger("turbogears.identity")
 
@@ -41,18 +42,18 @@ class IPA_User(object):
         client = ipa.ipaclient.IPAClient(transport)
         client.set_krbccache(os.environ["KRB5CCNAME"])
         try:
-            user = client.get_user_by_principal(user_name, ['dn'])
+            # Use memberof so we can see recursive group memberships as well.
+            user = client.get_user_by_principal(user_name, ['dn', 'memberof'])
             self.groups = []
-            groups = client.get_groups_by_member(user.dn, ['dn', 'cn'])
-            if isinstance(groups, str):
-                groups = [groups]
-            for ginfo in groups:
-                # cn may be multi-valued, add them all just in case
-                cn = ginfo.getValue('cn')
-                if isinstance(cn, str):
-                    cn = [cn]
-                for c in cn:
-                    self.groups.append(c)
+            memberof = user.getValues('memberof')
+            if isinstance(memberof, str):
+                memberof = [memberof]
+            for mo in memberof:
+                rdn_list = ldap.explode_dn(mo, 0)
+                first_rdn = rdn_list[0]
+                (type,value) = first_rdn.split('=')
+                if type == "cn":
+                    self.groups.append(value)
         except:
             raise
 
diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py b/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py
index 9b7e93059..73b0cbe6c 100644
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py
@@ -134,6 +134,15 @@ class DelegationController(IPAController):
             aci_entry.setValue('aci', new_aci.export_to_string())
 
             client.update_entry(aci_entry)
+
+            # Now add to the editors group so they can make changes in the UI
+            try:
+                group = client.get_entry_by_cn("editors")
+                client.add_group_to_group(new_aci.source_group, group.dn)
+            except ipa.ipaerror.exception_for(ipa.ipaerror.LDAP_EMPTY_MODLIST):
+                # This is ok, ignore it
+                pass
+
         except ipaerror.IPAError, e:
             turbogears.flash("Delgate add failed: " + str(e) + "<br/>" + e.detail[0]['desc'])
             return dict(form=delegate_form, delegate=kw,
@@ -216,11 +225,37 @@ class DelegationController(IPAController):
             new_aci_str = new_aci.export_to_string()
 
             new_aci_str_list = copy.copy(aci_str_list)
+            old_aci = ipa.aci.ACI(new_aci_str_list[old_aci_index])
             new_aci_str_list[old_aci_index] = new_aci_str
             aci_entry.setValue('aci', new_aci_str_list)
 
             client.update_entry(aci_entry)
 
+            if new_aci.source_group != old_aci.source_group:
+                aci_list = []
+                last = True
+                for aci_str in new_aci_str_list:
+                    try:
+                        aci = ipa.aci.ACI(aci_str)
+                        if aci.source_group == old_aci.source_group:
+                            last = False
+                            break
+                    except SyntaxError:
+                        # ignore aci_str's that ACI can't parse
+                        pass
+                if last:
+                    group = client.get_entry_by_cn("editors")
+                    client.remove_member_from_group(old_aci.source_group, group.dn)
+
+                # Now add to the editors group so they can make changes in the UI
+                try:
+                    group = client.get_entry_by_cn("editors")
+                    client.add_group_to_group(new_aci.source_group, group.dn)
+                except ipa.ipaerror.exception_for(ipa.ipaerror.LDAP_EMPTY_MODLIST):
+                    # This is ok, ignore it
+                    pass
+
+
             turbogears.flash("delegate updated")
             raise turbogears.redirect('/delegate/list')
         except (SyntaxError, ipaerror.IPAError), e:
@@ -291,12 +326,28 @@ class DelegationController(IPAController):
                         "concurrently modified.")
                 raise turbogears.redirect('/delegate/list')
 
+            old_aci = ipa.aci.ACI(aci_str_list[old_aci_index])
             new_aci_str_list = copy.copy(aci_str_list)
             del new_aci_str_list[old_aci_index]
             aci_entry.setValue('aci', new_aci_str_list)
 
             client.update_entry(aci_entry)
 
+            aci_list = []
+            last = True
+            for aci_str in new_aci_str_list:
+                try:
+                    aci = ipa.aci.ACI(aci_str)
+                    if aci.source_group == old_aci.source_group:
+                        last = False
+                        break
+                except SyntaxError:
+                    # ignore aci_str's that ACI can't parse
+                    pass
+            if last:
+                group = client.get_entry_by_cn("editors")
+                client.remove_member_from_group(old_aci.source_group, group.dn)
+
             turbogears.flash("delegate deleted")
             raise turbogears.redirect('/delegate/list')
         except (SyntaxError, ipaerror.IPAError), e: