diff options
author | Petr Viktorin <pviktori@redhat.com> | 2014-09-12 09:59:52 +0200 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-09-12 18:22:17 +0200 |
commit | 6ce44c4f058f07b7ebc5903644f76dcd8d56b7b4 (patch) | |
tree | 925d14031317de92a90c47e612b4c4f57ace6212 /ipalib | |
parent | d61fb40542abb0aa66c49d987813099fda356adf (diff) | |
download | freeipa-6ce44c4f058f07b7ebc5903644f76dcd8d56b7b4.tar.gz freeipa-6ce44c4f058f07b7ebc5903644f76dcd8d56b7b4.tar.xz freeipa-6ce44c4f058f07b7ebc5903644f76dcd8d56b7b4.zip |
permission plugin: Auto-add operational atttributes to read permissions
The attributes entryusn, createtimestamp, and modifytimestamp
should be readable whenever thir entry is, i.e. when we allow reading
the objectclass.
Automatically add them to every read permission that includes objectclass.
https://fedorahosted.org/freeipa/ticket/4534
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Diffstat (limited to 'ipalib')
-rw-r--r-- | ipalib/plugins/permission.py | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index 9e254a99b..9028f0248 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -503,6 +503,14 @@ class permission(baseldap.LDAPObject): def get_effective_attrs(self, entry): attrs = set(entry.get('ipapermdefaultattr', ())) attrs.update(entry.get('ipapermincludedattr', ())) + if ('read' in entry.get('ipapermright', ()) and + 'objectclass' in (x.lower() for x in attrs)): + # Add special-cased operational attributes + # We want to allow reading these whenever reading the objectclass + # is allowed. + # (But they can still be excluded explicitly, at least in managed + # permissions). + attrs.update((u'entryusn', u'createtimestamp', u'modifytimestamp')) attrs.difference_update(entry.get('ipapermexcludedattr', ())) return sorted(attrs) |