diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2010-11-01 12:05:53 -0400 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2010-11-19 13:47:09 -0500 |
| commit | 53d15537553e20a732d041ebddfd4ba69d5bb8dd (patch) | |
| tree | 34fa2e91f2e34a231e1952fce3086b352f27a680 /ipalib/plugins | |
| parent | 5c4dc1c2e95749559dac9c625859f4e1ced5a6e1 (diff) | |
| download | freeipa-53d15537553e20a732d041ebddfd4ba69d5bb8dd.tar.gz freeipa-53d15537553e20a732d041ebddfd4ba69d5bb8dd.tar.xz freeipa-53d15537553e20a732d041ebddfd4ba69d5bb8dd.zip | |
Give a detached group a full set of group objectclasses.
The UUID plugin handles adding ipaUniqueId for us as well as the access
control for it.
ticket 250
Diffstat (limited to 'ipalib/plugins')
| -rw-r--r-- | ipalib/plugins/baseldap.py | 4 | ||||
| -rw-r--r-- | ipalib/plugins/group.py | 29 |
2 files changed, 25 insertions, 8 deletions
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index d742a791e..61fedd98a 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -234,6 +234,10 @@ class LDAPObject(Object): if parent_obj.primary_key: yield parent_obj.primary_key.clone(query=True) + def has_objectclass(self, classes, objectclass): + oc = map(lambda x:x.lower(),classes) + return objectclass.lower() in oc + def convert_attribute_members(self, entry_attrs, *keys, **options): if options.get('raw', False): return diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index 1994c010f..5ecc72ae8 100644 --- a/ipalib/plugins/group.py +++ b/ipalib/plugins/group.py @@ -291,23 +291,28 @@ class group_detach(LDAPRemoveMember): group_dn = self.obj.get_dn(*keys, **options) user_dn = self.api.Object['user'].get_dn(*keys) + (user_dn, user_attrs) = ldap.get_entry(user_dn) + is_managed = self.obj.has_objectclass(user_attrs['objectclass'], 'mepmanagedentry') if (not ldap.can_write(user_dn, "objectclass") or - not ldap.can_write(user_dn, "mepManagedEntry")): + not (ldap.can_write(user_dn, "mepManagedEntry")) and is_managed): raise errors.ACIError(info=_('not allowed to modify user entries')) + (group_dn, group_attrs) = ldap.get_entry(group_dn) + is_managed = self.obj.has_objectclass(group_attrs['objectclass'], 'mepmanagedby') if (not ldap.can_write(group_dn, "objectclass") or - not ldap.can_write(group_dn, "mepManagedBy")): + not (ldap.can_write(group_dn, "mepManagedBy")) and is_managed): raise errors.ACIError(info=_('not allowed to modify group entries')) - (user_dn, user_attrs) = ldap.get_entry(user_dn) objectclasses = user_attrs['objectclass'] try: i = objectclasses.index('mepOriginEntry') + del objectclasses[i] + update_attrs = {'objectclass': objectclasses, 'mepManagedEntry': None} + ldap.update_entry(user_dn, update_attrs) except ValueError: - raise NotFound(reason=_('Not a managed group')) - del objectclasses[i] - update_attrs = {'objectclass': objectclasses, 'mepManagedEntry': None} - ldap.update_entry(user_dn, update_attrs) + # Somehow the user isn't managed, let it pass for now. We'll + # let the group throw "Not managed". + pass (group_dn, group_attrs) = ldap.get_entry(group_dn) objectclasses = group_attrs['objectclass'] @@ -315,8 +320,16 @@ class group_detach(LDAPRemoveMember): i = objectclasses.index('mepManagedEntry') except ValueError: # this should never happen - raise NotFound(reason=_('Not a managed group')) + raise errors.NotFound(reason=_('Not a managed group')) del objectclasses[i] + + # Make sure the resulting group has the default group objectclasses + config = ldap.get_ipa_config()[1] + def_objectclass = config.get( + self.obj.object_class_config, objectclasses + ) + objectclasses = list(set(def_objectclass + objectclasses)) + update_attrs = {'objectclass': objectclasses, 'mepManagedBy': None} ldap.update_entry(group_dn, update_attrs) |