diff options
| author | Petr Viktorin <pviktori@redhat.com> | 2014-02-27 14:38:16 +0100 |
|---|---|---|
| committer | Petr Viktorin <pviktori@redhat.com> | 2014-03-07 20:05:28 +0100 |
| commit | 0c2aec1be52af311feab15c01d03dfaff4b60fce (patch) | |
| tree | 457d176bc7e4aa472f41e4a086d11442b9dc79cf /ipalib/plugins/permission.py | |
| parent | 02e61961daf87fae22d6891ce2e1d7f8670dd2bf (diff) | |
| download | freeipa-0c2aec1be52af311feab15c01d03dfaff4b60fce.tar.gz freeipa-0c2aec1be52af311feab15c01d03dfaff4b60fce.tar.xz freeipa-0c2aec1be52af311feab15c01d03dfaff4b60fce.zip | |
permission plugin: Allow multiple values for memberof
Design: http://www.freeipa.org/page/V3/Multivalued_target_filters_in_permissions
Additional fix for: https://fedorahosted.org/freeipa/ticket/4074
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Diffstat (limited to 'ipalib/plugins/permission.py')
| -rw-r--r-- | ipalib/plugins/permission.py | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index 79335404a..82272d361 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -243,7 +243,7 @@ class permission(baseldap.LDAPObject): flags={'no_option'} ), - Str('memberof?', + Str('memberof*', label=_('Member of group'), # FIXME: Does this label make sense? doc=_('Target members of a group (sets memberOf targetfilter)'), flags={'ask_create', 'virtual_attribute'}, @@ -388,9 +388,13 @@ class permission(baseldap.LDAPObject): if not client_has_capability(options['version'], 'permissions2'): # Legacy clients expect some attributes as a single value - for attr in 'type', 'targetgroup', 'memberof', 'aci': + for attr in 'type', 'targetgroup', 'aci': if attr in entry: entry[attr] = entry.single_value[attr] + # memberof was also single-valued, but not any more + if entry.get('memberof'): + joined_value = u', '.join(str(m) for m in entry['memberof']) + entry['memberof'] = joined_value if 'subtree' in entry: # Legacy clients expect subtree as a URL dn = entry.single_value['subtree'] @@ -656,14 +660,14 @@ class permission(baseldap.LDAPObject): # memberof if 'memberof' in options: - memberof = options.pop('memberof') filter_ops['remove'].append(re.compile(r'\(memberOf=.*\)', re.I)) - if memberof: + memberof = options.pop('memberof') + for group in (memberof or ()): try: - groupdn = self.api.Object.group.get_dn_if_exists(memberof) + groupdn = self.api.Object.group.get_dn_if_exists(group) except errors.NotFound: raise errors.NotFound( - reason=_('%s: group not found') % memberof) + reason=_('%s: group not found') % group) filter_ops['add'].append(u'(memberOf=%s)' % groupdn) # targetgroup |