diff options
author | Petr Viktorin <pviktori@redhat.com> | 2014-03-07 16:29:47 +0100 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-03-14 10:14:05 +0100 |
commit | 64cc4d81cce2143f13b9ddad946473d58bc42b36 (patch) | |
tree | 53ed3b455174b413938626a91ae742f611be7818 /ipalib/plugins/permission.py | |
parent | 9f1c3d06bdb2f6bc0df5749bb994bc2ba9b630f9 (diff) | |
download | freeipa-64cc4d81cce2143f13b9ddad946473d58bc42b36.tar.gz freeipa-64cc4d81cce2143f13b9ddad946473d58bc42b36.tar.xz freeipa-64cc4d81cce2143f13b9ddad946473d58bc42b36.zip |
permission plugin: Do not change extra target filters by "views"
Previously, setting/deleting the "--type" virtual attribute removed
all (objectclass=...) target filters.
Change so that only the filter associated with --type is removed.
The same change applies to --memberof: only filters associated
with the option are removed when --memberof is (un-)set.
Follow-up to https://fedorahosted.org/freeipa/ticket/4216
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Diffstat (limited to 'ipalib/plugins/permission.py')
-rw-r--r-- | ipalib/plugins/permission.py | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index be08b148c..65220b6e0 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -689,10 +689,10 @@ class permission(baseldap.LDAPObject): If true, a dictionary of operations on ipapermtargetfilter is returned. These operations must be performed after the existing entry - is retreived. + is retrieved. The dict has the following keys: - - remove: list of regular expression objects; values that match - any of them sould be removed + - remove: list of regular expression objects; + implicit values that match any of them should be removed - add: list of values to be added, after any removals :merge_targetfilter: If true, the extratargetfilter is copied into ipapermtargetfilter. @@ -1042,10 +1042,13 @@ class permission_mod(baseldap.LDAPUpdate): list(filter_attr_info['implicit_targetfilters'])) filter_ops = context.filter_ops + old_filter_attr_info = self.obj._get_filter_attr_info(old_entry) + old_implicit_filters = old_filter_attr_info['implicit_targetfilters'] removes = filter_ops.get('remove', []) new_filters = set( filt for filt in (entry.get('ipapermtargetfilter') or []) - if not any(rem.match(filt) for rem in removes)) + if filt not in old_implicit_filters or + not any(rem.match(filt) for rem in removes)) new_filters.update(filter_ops.get('add', [])) new_filters.update(options.get('ipapermtargetfilter') or []) entry['ipapermtargetfilter'] = list(new_filters) |