diff options
| author | Petr Viktorin <pviktori@redhat.com> | 2014-02-25 17:24:02 +0100 |
|---|---|---|
| committer | Petr Viktorin <pviktori@redhat.com> | 2014-03-25 14:18:12 +0100 |
| commit | 1df9b5836ad26bab3513b726305f5e061424e2c9 (patch) | |
| tree | 25a46abf01a2cebc371309e488c3b823a236cfc3 /ipalib/plugins/permission.py | |
| parent | d0e83dbccfdb35b1cdd4963ce4ffb2ff0627b066 (diff) | |
| download | freeipa-1df9b5836ad26bab3513b726305f5e061424e2c9.tar.gz freeipa-1df9b5836ad26bab3513b726305f5e061424e2c9.tar.xz freeipa-1df9b5836ad26bab3513b726305f5e061424e2c9.zip | |
Allow modifying permissions with ":" in the name
The ":" character will be reserved for default permissions, so that
users cannot create a permission with a name that will later be
added as a default.
Allow the ":" character modifying/deleting permissions*, but not
when creating them. Also do not allow the new name to contain ":"
when renaming.
(* modify/delete have unrelated restrictions on managed permissions)
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Diffstat (limited to 'ipalib/plugins/permission.py')
| -rw-r--r-- | ipalib/plugins/permission.py | 31 |
1 files changed, 29 insertions, 2 deletions
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index b9aedbee7..987b9199a 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -147,6 +147,18 @@ def validate_type(ugettext, typestr): return _('"%s" is not a valid permission type') % typestr +def _disallow_colon(option): + """Given a "cn" option, return a new "cn" option with ':' disallowed + + Used in permission-add and for --rename in permission-mod to prevent user + from creating new permissions with ":" in the name. + """ + return option.clone( + pattern='^[-_ a-zA-Z0-9.]+$', + pattern_errmsg="May only contain letters, numbers, -, _, ., and space", + ) + + @register() class permission(baseldap.LDAPObject): """ @@ -176,8 +188,9 @@ class permission(baseldap.LDAPObject): cli_name='name', label=_('Permission name'), primary_key=True, - pattern='^[-_ a-zA-Z0-9.]+$', - pattern_errmsg="May only contain letters, numbers, -, _, ., and space", + pattern='^[-_ a-zA-Z0-9.:]+$', + pattern_errmsg="May only contain letters, numbers, " + "-, _, ., :, and space", ), StrEnum( 'ipapermright*', @@ -877,6 +890,13 @@ class permission_add(baseldap.LDAPCreate): self.obj.preprocess_options(options, merge_targetfilter=True) return super(permission_add, self).execute(*keys, **options) + def get_args(self): + for arg in super(permission_add, self).get_args(): + if arg.name == 'cn': + yield _disallow_colon(arg) + else: + yield arg + def pre_callback(self, ldap, dn, entry, attrs_list, *keys, **options): entry['ipapermissiontype'] = ['SYSTEM', 'V2'] entry['cn'] = list(keys) @@ -966,6 +986,13 @@ class permission_mod(baseldap.LDAPUpdate): options, return_filter_ops=True) return super(permission_mod, self).execute(*keys, **options) + def get_options(self): + for opt in super(permission_mod, self).get_options(): + if opt.name == 'rename': + yield _disallow_colon(opt) + else: + yield opt + def pre_callback(self, ldap, dn, entry, attrs_list, *keys, **options): if 'rename' in options and not options['rename']: raise errors.ValidationError(name='rename', |