Validate adding privilege to a permission

Adding priviledge to a permission via webUI allowed to avoid check and to add permission
with improper type.

https://fedorahosted.org/freeipa/ticket/5075

Reviewed-By: Jan Cholasta <jcholast@redhat.com>

1 files changed, 7 insertions, 0 deletions

diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index f2e896935..7d2a4dd15 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -21,6 +21,7 @@ import re
 import traceback
 
 from ipalib.plugins import baseldap
+from ipalib.plugins.privilege import validate_permission_to_privilege
 from ipalib import errors
 from ipalib.parameters import Str, StrEnum, DNParam, Flag
 from ipalib import api, _, ngettext
@@ -1377,6 +1378,12 @@ class permission_add_member(baseldap.LDAPAddMember):
     """Add members to a permission."""
     NO_CLI = True
 
+    def pre_callback(self, ldap, dn, member_dns, failed, *keys, **options):
+        # We can only add permissions with bind rule type set to
+        # "permission" (or old-style permissions)
+        validate_permission_to_privilege(self.api, keys[-1])
+        return dn
+
 
 @register()
 class permission_remove_member(baseldap.LDAPRemoveMember):