Allow anonymous and all permissions

Disallow adding permissions with non-default bindtype to privileges Ticket: https://fedorahosted.org/freeipa/ticket/4032 Design: http://www.freeipa.org/page/V3/Anonymous_and_All_permissions
author: Petr Viktorin <pviktori@redhat.com> 2013-10-29 17:01:07 +0100
committer: Martin Kosek <mkosek@redhat.com> 2014-01-07 09:56:41 +0100
commit: 4a64a1f18bd51c65bf34a13fd7541e1d6b4b75fd (patch)
tree: 8cc1db4e9b3e1b77f25b36ad5c58a1b37d94fea7 /ipalib/plugins/privilege.py
parent: d7f5d58d352f31df144de15976bd06c5aa822210 (diff)
download: freeipa-4a64a1f18bd51c65bf34a13fd7541e1d6b4b75fd.tar.gz
freeipa-4a64a1f18bd51c65bf34a13fd7541e1d6b4b75fd.tar.xz
freeipa-4a64a1f18bd51c65bf34a13fd7541e1d6b4b75fd.zip
1 files changed, 32 insertions, 1 deletions
diff --git a/ipalib/plugins/privilege.py b/ipalib/plugins/privilege.py
index 694e1184f..678eb2416 100644
--- a/ipalib/plugins/privilege.py
+++ b/ipalib/plugins/privilege.py
@@ -18,7 +18,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 from ipalib.plugins.baseldap import *
-from ipalib import api, _, ngettext
+from ipalib import api, _, ngettext, errors
 from ipalib.plugable import Registry
 
 __doc__ = _("""
@@ -152,6 +152,37 @@ class privilege_add_permission(LDAPAddReverseMember):
         ),
     )
 
+    def pre_callback(self, ldap, dn, *keys, **options):
+        if options.get('permission'):
+            # We can only add permissions with bind rule type set to
+            # "permission" (or old-style permissions)
+            ldapfilter = ldap.combine_filters(rules='&', filters=[
+                '(objectClass=ipaPermissionV2)',
+                '(!(ipaPermBindRuleType=permission))',
+                ldap.make_filter_from_attr('cn', options['permission'],
+                                           rules='|'),
+            ])
+            try:
+                entries, truncated = ldap.find_entries(
+                    filter=ldapfilter,
+                    attrs_list=['cn', 'ipapermbindruletype'],
+                    base_dn=DN(self.api.env.container_permission,
+                               self.api.env.basedn),
+                    size_limit=1)
+            except errors.NotFound:
+                pass
+            else:
+                entry = entries[0]
+                message = _('cannot add permission "%(perm)s" with bindtype '
+                            '"%(bindtype)s" to a privilege')
+                raise errors.ValidationError(
+                    name='permission',
+                    error=message % {
+                        'perm': entry.single_value['cn'],
+                        'bindtype': entry.single_value.get(
+                            'ipapermbindruletype', 'permission')})
+        return dn
+
 
 @register()
 class privilege_remove_permission(LDAPRemoveReverseMember):
author	Petr Viktorin <pviktori@redhat.com>	2013-10-29 17:01:07 +0100
committer	Martin Kosek <mkosek@redhat.com>	2014-01-07 09:56:41 +0100
commit	4a64a1f18bd51c65bf34a13fd7541e1d6b4b75fd (patch)
tree	8cc1db4e9b3e1b77f25b36ad5c58a1b37d94fea7 /ipalib/plugins/privilege.py
parent	d7f5d58d352f31df144de15976bd06c5aa822210 (diff)
download	freeipa-4a64a1f18bd51c65bf34a13fd7541e1d6b4b75fd.tar.gz freeipa-4a64a1f18bd51c65bf34a13fd7541e1d6b4b75fd.tar.xz freeipa-4a64a1f18bd51c65bf34a13fd7541e1d6b4b75fd.zip