diff options
| author | Tomas Babej <tbabej@redhat.com> | 2014-09-30 08:12:42 +0200 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2014-09-30 10:42:06 +0200 |
| commit | 51816930a662e0312589cca2981e8ae4d32da779 (patch) | |
| tree | 3a39f2d698f4bbb0d70812256ddf6a1fbf08fa4d /ipalib | |
| parent | 902655da5909f79ffde6a06d527bd1dbe9ee5f8a (diff) | |
| download | freeipa-51816930a662e0312589cca2981e8ae4d32da779.tar.gz freeipa-51816930a662e0312589cca2981e8ae4d32da779.tar.xz freeipa-51816930a662e0312589cca2981e8ae4d32da779.zip | |
idviews: Make sure only regular IPA objects are allowed to be overriden
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Diffstat (limited to 'ipalib')
| -rw-r--r-- | ipalib/plugins/idviews.py | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py index 9c9747daf..3b0df0223 100644 --- a/ipalib/plugins/idviews.py +++ b/ipalib/plugins/idviews.py @@ -411,7 +411,23 @@ def resolve_object_to_anchor(ldap, obj_type, obj): try: entry = ldap.get_entry(api.Object[obj_type].get_dn(obj), - attrs_list=['ipaUniqueID']) + attrs_list=['ipaUniqueID', 'objectClass']) + + # First we check this is a valid object to override + # - for groups, it must have ipaUserGroup objectclass + # - for users, it must have posixAccount objectclass + + required_objectclass = { + 'user': 'posixaccount', + 'group': 'ipausergroup', + }[obj_type] + + if required_objectclass not in entry['objectclass']: + raise errors.ValidationError( + name=_('IPA object'), + error=_('system IPA objects (e.g system groups, user ' + 'private groups) cannot be overriden') + ) # The domain prefix, this will need to be reworked once we # introduce IPA-IPA trusts |