diff options
author | Petr Viktorin <pviktori@redhat.com> | 2012-05-21 05:03:21 -0400 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2012-05-29 09:23:26 +0200 |
commit | 1af36da933cd3c788e3a48257e2f5c286e985e22 (patch) | |
tree | 472816360fa7ad147e958b63e240f45ed04a72b0 /ipalib/plugins/baseldap.py | |
parent | e0930d42a54e586a0170c853fbc9e66f9193d5b0 (diff) | |
download | freeipa-1af36da933cd3c788e3a48257e2f5c286e985e22.tar.gz freeipa-1af36da933cd3c788e3a48257e2f5c286e985e22.tar.xz freeipa-1af36da933cd3c788e3a48257e2f5c286e985e22.zip |
Disallow setattr on no_update/no_create params
Make --{set,add,del}attr fail on parameters with the no_update/no_create
flag for the respective command.
For attributes that can be modified, but we just don't want to display
in the CLI, use the 'no_option' flag. These are "locking" attributes
(ipaenabledflag, nsaccountlock) and externalhost.
Document the 'no_option' flag. Add some tests.
https://fedorahosted.org/freeipa/ticket/2580
Diffstat (limited to 'ipalib/plugins/baseldap.py')
-rw-r--r-- | ipalib/plugins/baseldap.py | 18 |
1 files changed, 8 insertions, 10 deletions
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 2851f0f27..7664928be 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -320,7 +320,7 @@ def validate_externalhost(ugettext, hostname): external_host_param = Str('externalhost*', validate_externalhost, label=_('External host'), - flags=['no_create', 'no_update', 'no_search'], + flags=['no_option'], ) @@ -819,6 +819,11 @@ last, after all sets and adds."""), m = re.match("\s*(.*?)\s*=\s*(.*?)\s*$", a) attr = str(m.group(1)).lower() value = m.group(2) + if attr in self.obj.params and attr not in self.params: + # The attribute is managed by IPA, but it didn't get cloned + # to the command. This happens with no_update/no_create attrs. + raise errors.ValidationError( + name=attr, error=_('attribute is not configurable')) if len(value) == 0: # None means "delete this attribute" value = None @@ -919,17 +924,10 @@ last, after all sets and adds."""), # normalize all values changedattrs = setattrs | addattrs | delattrs for attr in changedattrs: - if attr in self.obj.params: + if attr in self.params and self.params[attr].attribute: # convert single-value params to scalars + param = self.params[attr] value = entry_attrs[attr] - try: - param = self.params[attr] - except KeyError: - # The CRUD classes filter their disallowed parameters out. - # Yet {set,add,del}attr are powerful enough to change these - # (e.g. Config's ipacertificatesubjectbase) - # So, use the parent's attribute - param = self.obj.params[attr] if not param.multivalue: if len(value) == 1: value = value[0] |