diff options
author | Rob Crittenden <rcritten@redhat.com> | 2007-11-20 22:45:29 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2007-11-20 22:45:29 -0500 |
commit | f42f1f44c81e15ac9ecbc6684cbc4dfc9395fd42 (patch) | |
tree | 5e3907c33efe15f9a7f04bc973a341d0851b6dd4 /ipa-server/ipa-gui | |
parent | 56d67b86e18112c9f059e7bcd3ac51fc21f941af (diff) | |
download | freeipa-f42f1f44c81e15ac9ecbc6684cbc4dfc9395fd42.tar.gz freeipa-f42f1f44c81e15ac9ecbc6684cbc4dfc9395fd42.tar.xz freeipa-f42f1f44c81e15ac9ecbc6684cbc4dfc9395fd42.zip |
Enable group inactivation by using the Class of Service plugin.
This adds 2 new groups: activated and inactivated.
If you, or a group you are a member of, is in inactivated then you are too.
If you, or a group you are a member of, is in the activated group, then you
are too.
In a fight between activated and inactivated, activated wins.
The DNs for doing this matching is case and white space sensitive.
The goal is to never have to actually set nsAccountLock in a user directly
but move them between these groups.
We need to decide where in the CLI this will happen. Right it is split
between ipa-deluser and ipa-usermod. To inactivate groups for now just
add the group to inactivate or active.
Diffstat (limited to 'ipa-server/ipa-gui')
-rw-r--r-- | ipa-server/ipa-gui/ipagui/forms/group.py | 4 | ||||
-rw-r--r-- | ipa-server/ipa-gui/ipagui/subcontrollers/group.py | 35 | ||||
-rw-r--r-- | ipa-server/ipa-gui/ipagui/subcontrollers/user.py | 26 | ||||
-rw-r--r-- | ipa-server/ipa-gui/ipagui/templates/groupeditform.kid | 10 | ||||
-rw-r--r-- | ipa-server/ipa-gui/ipagui/templates/grouplist.kid | 12 | ||||
-rw-r--r-- | ipa-server/ipa-gui/ipagui/templates/groupshow.kid | 7 | ||||
-rw-r--r-- | ipa-server/ipa-gui/ipagui/templates/usereditform.kid | 2 |
7 files changed, 82 insertions, 14 deletions
diff --git a/ipa-server/ipa-gui/ipagui/forms/group.py b/ipa-server/ipa-gui/ipagui/forms/group.py index 04c0298ad..b67156641 100644 --- a/ipa-server/ipa-gui/ipagui/forms/group.py +++ b/ipa-server/ipa-gui/ipagui/forms/group.py @@ -9,6 +9,10 @@ class GroupFields(): editprotected_hidden = widgets.HiddenField(name="editprotected") + nsAccountLock = widgets.SingleSelectField(name="nsAccountLock", + label="Group Status", + options = [("", "active"), ("true", "inactive")]) + group_orig = widgets.HiddenField(name="group_orig") member_data = widgets.HiddenField(name="member_data") dn_to_info_json = widgets.HiddenField(name="dn_to_info_json") diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/group.py b/ipa-server/ipa-gui/ipagui/subcontrollers/group.py index 7c05eebc0..dbcc77b9a 100644 --- a/ipa-server/ipa-gui/ipagui/subcontrollers/group.py +++ b/ipa-server/ipa-gui/ipagui/subcontrollers/group.py @@ -22,7 +22,7 @@ log = logging.getLogger(__name__) group_new_form = ipagui.forms.group.GroupNewForm() group_edit_form = ipagui.forms.group.GroupEditForm() -group_fields = ['*'] +group_fields = ['*', 'nsAccountLock'] class GroupController(IPAController): @@ -75,6 +75,9 @@ class GroupController(IPAController): new_group.setValue('description', kw.get('description')) rv = client.add_group(new_group) + + if kw.get('nsAccountLock'): + client.mark_group_inactive(kw.get('cn')) except ipaerror.exception_for(ipaerror.LDAP_DUPLICATE): turbogears.flash("Group with name '%s' already exists" % kw.get('cn')) @@ -224,6 +227,12 @@ class GroupController(IPAController): turbogears.flash("Edit group cancelled") raise turbogears.redirect('/group/show', cn=cn[0]) + if kw.get('editprotected') == '': + # if editprotected set these don't get sent in kw + orig_group_dict = loads(b64decode(kw.get('group_orig'))) + kw['cn'] = orig_group_dict['cn'] + kw['gidnumber'] = orig_group_dict['gidnumber'] + # Decode the member data, in case we need to round trip member_dicts = loads(b64decode(kw.get('member_data'))) @@ -251,6 +260,17 @@ class GroupController(IPAController): if new_group.gidnumber != new_gid: group_modified = True new_group.setValue('gidnumber', new_gid) + else: + new_group.setValue('gidnumber', orig_group_dict.get('gidnumber')) + new_group.setValue('cn', orig_group_dict.get('cn')) + if new_group.cn != kw.get('cn'): + group_modified = True + new_group.setValue('cn', kw['cn']) + + if group_modified: + rv = client.update_group(new_group) + # + # If the group update succeeds, but below operations fail, we if new_group.cn != kw.get('cn'): group_modified = True new_group.setValue('cn', kw['cn']) @@ -268,6 +288,17 @@ class GroupController(IPAController): return dict(form=group_edit_form, group=kw, members=member_dicts, tg_template='ipagui.templates.groupedit') + if kw.get('nsAccountLock') == '': + kw['nsAccountLock'] = "false" + + modify_no_update = False + if kw.get('nsAccountLock') == "false" and new_group.getValues('nsaccountlock') == "true": + client.mark_group_active(kw.get('cn')) + modify_no_update = True + elif kw.get('nsAccountLock') == "true" and new_group.nsaccountlock != "true": + client.mark_group_inactive(kw.get('cn')) + modify_no_update = True + # # Add members # @@ -326,7 +357,7 @@ class GroupController(IPAController): cn0 = kw['cn'][0] else: cn0 = kw['cn'] - if group_modified == True: + if group_modified == True or modify_no_update == True: turbogears.flash("%s updated!" % cn0) else: turbogears.flash("No modifications requested.") diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/user.py b/ipa-server/ipa-gui/ipagui/subcontrollers/user.py index 579379c43..39343b595 100644 --- a/ipa-server/ipa-gui/ipagui/subcontrollers/user.py +++ b/ipa-server/ipa-gui/ipagui/subcontrollers/user.py @@ -197,14 +197,14 @@ class UserController(IPAController): new_user.setValue('carlicense', kw.get('carlicense')) new_user.setValue('labeleduri', kw.get('labeleduri')) - if kw.get('nsAccountLock'): - new_user.setValue('nsAccountLock', 'true') - for custom_field in user_new_form.custom_fields: new_user.setValue(custom_field.name, kw.get(custom_field.name, '')) rv = client.add_user(new_user) + + if kw.get('nsAccountLock'): + client.mark_user_inactive(kw.get('uid')) except ipaerror.exception_for(ipaerror.LDAP_DUPLICATE): turbogears.flash("User with login '%s' already exists" % kw.get('uid')) @@ -482,12 +482,6 @@ class UserController(IPAController): new_user.setValue('carlicense', kw.get('carlicense')) new_user.setValue('labeleduri', kw.get('labeleduri')) - - if kw.get('nsAccountLock'): - new_user.setValue('nsAccountLock', 'true') - else: - new_user.setValue('nsAccountLock', None) - if kw.get('editprotected') == 'true': if kw.get('userpassword'): password_change = True @@ -572,6 +566,20 @@ class UserController(IPAController): user_groups=user_groups_dicts, tg_template='ipagui.templates.useredit') + if kw.get('nsAccountLock') == '': + kw['nsAccountLock'] = "false" + + try: + if kw.get('nsAccountLock') == "false" and new_user.getValues('nsaccountlock') == "true": + client.mark_user_active(kw.get('uid')) + elif kw.get('nsAccountLock') == "true" and new_user.nsaccountlock != "true": + client.mark_user_inactive(kw.get('uid')) + except ipaerror.IPAError, e: + turbogears.flash("User status change failed: " + str(e) + "<br/>" + e.detail[0]['desc']) + return dict(form=user_edit_form, user=kw, + user_groups=user_groups_dicts, + tg_template='ipagui.templates.useredit') + turbogears.flash("%s updated!" % kw['uid']) raise turbogears.redirect('/user/show', uid=kw['uid']) diff --git a/ipa-server/ipa-gui/ipagui/templates/groupeditform.kid b/ipa-server/ipa-gui/ipagui/templates/groupeditform.kid index d46bc731e..6a5c5adb8 100644 --- a/ipa-server/ipa-gui/ipagui/templates/groupeditform.kid +++ b/ipa-server/ipa-gui/ipagui/templates/groupeditform.kid @@ -112,6 +112,16 @@ from ipagui.helpers import ipahelper </script> </td> </tr> + <tr> + <th> + <label class="fieldlabel" for="${group_fields.nsAccountLock.field_id}" py:content="group_fields.nsAccountLock.label" />: + </th> + <td> + <span py:replace="group_fields.nsAccountLock.display(value_for(group_fields.nsAccountLock))" /> + <span py:if="tg.errors.get('nsAccountLock')" class="fielderror" + py:content="tg.errors.get('nsAccountLock')" /> + </td> + </tr> </table> <div> diff --git a/ipa-server/ipa-gui/ipagui/templates/grouplist.kid b/ipa-server/ipa-gui/ipagui/templates/grouplist.kid index 9f9bc4840..9489b3744 100644 --- a/ipa-server/ipa-gui/ipagui/templates/grouplist.kid +++ b/ipa-server/ipa-gui/ipagui/templates/grouplist.kid @@ -20,7 +20,7 @@ </div> <div py:if='(groups != None) and (len(groups) > 0)'> <h2>${len(groups)} results returned:</h2> - <table id="resultstable" class="details sortable resizable"> + <table id="resultstable" class="details sortable resizable" cellspacing="0"> <thead> <tr> <th> @@ -32,7 +32,15 @@ </tr> </thead> <tbody> - <tr py:for="group in groups"> + <tr py:for="group in groups" py:if="group.nsAccountLock != 'true'"> + <td> + <a href="${tg.url('/group/show',cn=group.cn)}">${group.cn}</a> + </td> + <td> + ${group.description} + </td> + </tr> + <tr id="inactive" py:for="group in groups" py:if="group.nsAccountLock == 'true'"> <td> <a href="${tg.url('/group/show',cn=group.cn)}">${group.cn}</a> </td> diff --git a/ipa-server/ipa-gui/ipagui/templates/groupshow.kid b/ipa-server/ipa-gui/ipagui/templates/groupshow.kid index b2f37bf52..8713742d5 100644 --- a/ipa-server/ipa-gui/ipagui/templates/groupshow.kid +++ b/ipa-server/ipa-gui/ipagui/templates/groupshow.kid @@ -11,6 +11,7 @@ cn = group.get('cn') if isinstance(cn, list): cn = cn[0] edit_url = tg.url('/group/edit', cn=cn) +from ipagui.helpers import userhelper ?> <div id="details"> <h1>View Group</h1> @@ -42,6 +43,12 @@ edit_url = tg.url('/group/edit', cn=cn) </th> <td>${group.get("gidnumber")}</td> </tr> + <tr> + <th> + <label class="fieldlabel" py:content="fields.nsAccountLock.label" />: + </th> + <td>${userhelper.account_status_display(group.get("nsAccountLock"))}</td> + </tr> </table> <h2 class="formsection">Group Members</h2> diff --git a/ipa-server/ipa-gui/ipagui/templates/usereditform.kid b/ipa-server/ipa-gui/ipagui/templates/usereditform.kid index c95b36e39..88b778d8c 100644 --- a/ipa-server/ipa-gui/ipagui/templates/usereditform.kid +++ b/ipa-server/ipa-gui/ipagui/templates/usereditform.kid @@ -787,7 +787,7 @@ from ipagui.helpers import ipahelper group_dn = group.get('dn') group_dn_esc = ipahelper.javascript_string_escape(group_dn) - group_name = group.get('cn')[0] + group_name = group.get('cn') group_descr = "[group]" group_type = "group" |