diff options
author | Tomas Babej <tbabej@redhat.com> | 2015-07-23 14:00:06 +0200 |
---|---|---|
committer | Tomas Babej <tbabej@redhat.com> | 2015-07-23 15:37:01 +0200 |
commit | aa066f31a5341079197f7b5a79fe2fa1045688bb (patch) | |
tree | fd9a57e6074e37a953b8a2172c1346bdc007992a /ipalib/plugins/idviews.py | |
parent | e0d3231f07426b193f2f4e1a9e9f31494a5c39b1 (diff) | |
download | freeipa-aa066f31a5341079197f7b5a79fe2fa1045688bb.tar.gz freeipa-aa066f31a5341079197f7b5a79fe2fa1045688bb.tar.xz freeipa-aa066f31a5341079197f7b5a79fe2fa1045688bb.zip |
idviews: Enforce objectclass check in idoverride*-del
Even with anchor to sid type checking, it would be still
possible to delete a user ID override by specifying a group
raw anchor and vice versa.
This patch introduces a objectclass check in idoverride*-del
commands to prevent that.
https://fedorahosted.org/freeipa/ticket/5029
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Diffstat (limited to 'ipalib/plugins/idviews.py')
-rw-r--r-- | ipalib/plugins/idviews.py | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py index 4d1aefef2..cf5c9b5e8 100644 --- a/ipalib/plugins/idviews.py +++ b/ipalib/plugins/idviews.py @@ -718,6 +718,25 @@ class baseidoverride_del(LDAPDelete): takes_options = LDAPDelete.takes_options + (fallback_to_ldap_option,) + def pre_callback(self, ldap, dn, *keys, **options): + assert isinstance(dn, DN) + + # Make sure the entry we're deleting has all the objectclasses + # this object requires + try: + entry = ldap.get_entry(dn, ['objectclass']) + except errors.NotFound: + self.obj.handle_not_found(*keys) + + required_object_classes = set(self.obj.object_class) + actual_object_classes = set(entry['objectclass']) + + # If not, treat it as a failed search + if not required_object_classes.issubset(actual_object_classes): + self.obj.handle_not_found(*keys) + + return dn + class baseidoverride_mod(LDAPUpdate): __doc__ = _('Modify an ID override.') |