diff options
| author | Martin Kosek <mkosek@redhat.com> | 2011-01-27 12:17:10 +0100 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2011-01-28 23:51:09 -0500 |
| commit | f72d8e506a82dc558f89a4d115f3aad261655ba8 (patch) | |
| tree | 676df4d990e6997944cad60bac694598b4692b5e /ipalib | |
| parent | 359d54e741877f04b0773fb0955041eee7ec0054 (diff) | |
| download | freeipa-f72d8e506a82dc558f89a4d115f3aad261655ba8.tar.gz freeipa-f72d8e506a82dc558f89a4d115f3aad261655ba8.tar.xz freeipa-f72d8e506a82dc558f89a4d115f3aad261655ba8.zip | |
ipa permission-mod --rename does not work
This patch fixes nonfunctional rename operation in permission
plugin. Also makes sure, that no change is made to the underlying
ACI in pre_callback() when the target permission already exists.
Several tests for the rename operation have been created to ensure
that the it won't break again unnoticed.
https://fedorahosted.org/freeipa/ticket/814
Diffstat (limited to 'ipalib')
| -rw-r--r-- | ipalib/plugins/permission.py | 27 |
1 files changed, 22 insertions, 5 deletions
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index 0c2855ff5..d1fe2d2b3 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -242,12 +242,26 @@ class permission_mod(LDAPUpdate): msg_summary = _('Modified permission "%(value)s"') def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + # check if permission is in LDAP try: (dn, attrs) = ldap.get_entry( dn, attrs_list, normalize=self.obj.normalize_dn ) except errors.NotFound: self.obj.handle_not_found(*keys) + + # when renaming permission, check if the target permission does not + # exists already. Then, make changes to underlying ACI + if 'rename' in options: + try: + new_dn = dn.replace(keys[-1], options['rename'], 1) + (new_dn, attrs) = ldap.get_entry( + new_dn, attrs_list, normalize=self.obj.normalize_dn + ) + raise errors.DuplicateEntry() + except errors.NotFound: + pass # permission may be renamed, continue + opts = copy.copy(options) for o in ['all', 'raw', 'rights', 'description', 'rename']: if o in opts: @@ -292,15 +306,18 @@ class permission_mod(LDAPUpdate): def post_callback(self, ldap, dn, entry_attrs, *keys, **options): # rename the underlying ACI after the change to permission + cn = keys[-1] + if 'rename' in options: - aciname = keys[-1] # ACI still refers to the old permission CN - self.api.Command.aci_mod(aciname,aciprefix=ACI_PREFIX, + self.api.Command.aci_mod(cn,aciprefix=ACI_PREFIX, permission=options['rename']) - self.api.Command.aci_rename(aciname, aciprefix=ACI_PREFIX, - newname=keys[-1], newprefix=ACI_PREFIX) + self.api.Command.aci_rename(cn, aciprefix=ACI_PREFIX, + newname=options['rename'], newprefix=ACI_PREFIX) + + cn = options['rename'] # rename finished - result = self.api.Command.permission_show(keys[-1])['result'] + result = self.api.Command.permission_show(cn)['result'] for r in result: if not r.startswith('member'): entry_attrs[r] = result[r] |