diff options
author | Rob Crittenden <rcritten@redhat.com> | 2012-01-13 11:34:04 -0500 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2012-01-18 10:02:50 +0100 |
commit | 2c1f21a14bf9d47ab484d13f5947a059ccc1d041 (patch) | |
tree | 39c8ab3f1477d4b6df916bf25eef080483526a11 /ipalib/plugins/hbacrule.py | |
parent | c9c72d1b1a48a0c34afc1c4d0ca9aa842d537c9e (diff) | |
download | freeipa-2c1f21a14bf9d47ab484d13f5947a059ccc1d041.tar.gz freeipa-2c1f21a14bf9d47ab484d13f5947a059ccc1d041.tar.xz freeipa-2c1f21a14bf9d47ab484d13f5947a059ccc1d041.zip |
In sudo when the category is all do not allow members, and vice versa.
This is what we already do in the HBAC plugin, this ports it to Sudo.
If a category (user, host, etc) is u'all' then we don't allow individual
members be added. Conversely if there are members we don't allow the
category be set to u'all'.
https://fedorahosted.org/freeipa/ticket/1440
Diffstat (limited to 'ipalib/plugins/hbacrule.py')
-rw-r--r-- | ipalib/plugins/hbacrule.py | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/ipalib/plugins/hbacrule.py b/ipalib/plugins/hbacrule.py index 92b656d66..0fa44a590 100644 --- a/ipalib/plugins/hbacrule.py +++ b/ipalib/plugins/hbacrule.py @@ -96,10 +96,13 @@ def is_all(options, attribute): """ See if options[attribute] is lower-case 'all' in a safe way. """ - if attribute in options and \ - options[attribute] is not None and \ - options[attribute].lower() == 'all': - return True + if attribute in options and options[attribute] is not None: + if type(options[attribute]) in (list, tuple): + value = options[attribute][0].lower() + else: + value = options[attribute].lower() + if value == 'all': + return True else: return False |