diff options
author | Martin Basti <mbasti@redhat.com> | 2015-07-09 16:48:36 +0200 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2015-07-17 04:57:54 +0000 |
commit | a619a1e211927c27f5c034dec8c1a1bbc03720f2 (patch) | |
tree | cfca7a39e739e7ca4b9dec62cb45e9cb638501f0 /ipalib/plugins/permission.py | |
parent | a0ce9e6b09f8e35284bc8c97bd63d1e019ca8142 (diff) | |
download | freeipa-a619a1e211927c27f5c034dec8c1a1bbc03720f2.tar.gz freeipa-a619a1e211927c27f5c034dec8c1a1bbc03720f2.tar.xz freeipa-a619a1e211927c27f5c034dec8c1a1bbc03720f2.zip |
Validate adding privilege to a permission
Adding priviledge to a permission via webUI allowed to avoid check and to add permission
with improper type.
https://fedorahosted.org/freeipa/ticket/5075
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'ipalib/plugins/permission.py')
-rw-r--r-- | ipalib/plugins/permission.py | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index f2e896935..7d2a4dd15 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -21,6 +21,7 @@ import re import traceback from ipalib.plugins import baseldap +from ipalib.plugins.privilege import validate_permission_to_privilege from ipalib import errors from ipalib.parameters import Str, StrEnum, DNParam, Flag from ipalib import api, _, ngettext @@ -1377,6 +1378,12 @@ class permission_add_member(baseldap.LDAPAddMember): """Add members to a permission.""" NO_CLI = True + def pre_callback(self, ldap, dn, member_dns, failed, *keys, **options): + # We can only add permissions with bind rule type set to + # "permission" (or old-style permissions) + validate_permission_to_privilege(self.api, keys[-1]) + return dn + @register() class permission_remove_member(baseldap.LDAPRemoveMember): |