3 files changed, 51 insertions, 2 deletions

diff --git a/install/ui/src/freeipa/FieldBinder.js b/install/ui/src/freeipa/FieldBinder.js
index ed05d2531..7ee8e5874 100644
--- a/install/ui/src/freeipa/FieldBinder.js
+++ b/install/ui/src/freeipa/FieldBinder.js
@@ -121,6 +121,7 @@ define(['dojo/_base/declare',
             this.handle(field, 'require-change', this.on_field_require_change);
             this.handle(field, 'writable-change', this.on_field_writable_change);
             this.handle(field, 'readonly-change', this.on_field_readonly_change);
+            this.handle(field, 'acl-rights-change', this.on_field_acl_rights_change);
             this.handle(field, 'reset', this.on_field_reset);
 
             this.handle(widget, 'value-change', this.on_widget_value_change);
@@ -241,6 +242,18 @@ define(['dojo/_base/declare',
         },
 
         /**
+         * Field acl rights change handler
+         * @protected
+         */
+        on_field_acl_rights_change: function(event) {
+
+            var readable= event.rights.indexOf('r') > -1;
+            if (this.widget.set_readable) {
+                this.widget.set_readable(readable);
+            }
+        },
+
+        /**
          * Field reset handler
          *
          * @param {Object} event
diff --git a/install/ui/src/freeipa/field.js b/install/ui/src/freeipa/field.js
index ea22d6d06..f53c6c1d0 100644
--- a/install/ui/src/freeipa/field.js
+++ b/install/ui/src/freeipa/field.js
@@ -106,6 +106,16 @@ field.field = IPA.field = function(spec) {
     that.acl_param = spec.acl_param || that.param;
 
     /**
+     * Rights which determines what operation can do with this field or
+     * attribute.
+     *
+     * E.g., 'rscwo' - read, search, compare, write(mod-add), obliterate(mod-del)
+     *
+     * @property {string}
+     */
+    that.acl_rights = spec.acl_rights || 'r';
+
+    /**
      * Label
      * @property {string}
      */
@@ -449,6 +459,7 @@ field.field = IPA.field = function(spec) {
     that.load_writable = function(record) {
 
         var writable = true;
+        var old = that.acl_rights;
 
         function has_write(record, param) {
             var rights = record.attributelevelrights[param];
@@ -466,11 +477,17 @@ field.field = IPA.field = function(spec) {
             }
         }
 
-        if (record && record.attributelevelrights && writable) {
+        if (record && record.attributelevelrights) {
             var rights = record.attributelevelrights[that.acl_param];
             var write_attr = has_write(record, that.acl_param);
+            var all_rights = record.attributelevelrights['*'];
             var write_all = has_write(record, '*');
 
+            // don't assume any value if the rights are not defined, keep the original
+            if (rights !== undefined || all_rights !== undefined) {
+                that.acl_rights = rights || all_rights || '';
+            }
+
             // Some objects in LDAP may not have proper object class set and
             // therefore server doesn't send proper attribute rights. Flag
             // 'w_if_no_aci' should be used when we want to ensure that UI
@@ -480,10 +497,13 @@ field.field = IPA.field = function(spec) {
             var may_add_oc = !rights && write_oc && that.flags.indexOf('w_if_no_aci') > -1;
 
             // If no rights, change writable to False:
-            writable = write_attr || write_all || may_add_oc;
+            writable = writable && (write_attr || write_all || may_add_oc);
         }
 
         that.set_writable(writable);
+        if (old !== that.acl_rights) {
+            that.emit('acl-rights-change', { source: that, rights: that.acl_rights, old: old });
+        }
     };
 
     /**
diff --git a/install/ui/src/freeipa/widget.js b/install/ui/src/freeipa/widget.js
index d5837e7ea..252fe0208 100644
--- a/install/ui/src/freeipa/widget.js
+++ b/install/ui/src/freeipa/widget.js
@@ -406,6 +406,9 @@ IPA.input_widget = function(spec) {
      */
     that.ctor_init = function() {
         on(that, 'value-change', that.hide_if_empty);
+        on(that, 'readable-change', function() {
+            that.set_visible();
+        });
     };
 
     /**
@@ -641,9 +644,22 @@ IPA.input_widget = function(spec) {
         if (that.has_value === false && !that.is_writable() && that.hidden_if_empty) {
             visible = false;
         }
+        if (that.readable !== undefined) {
+            visible = visible && that.readable;
+        }
         return visible;
     };
 
+    that.set_readable = function(readable) {
+
+        var old = that.readable;
+        that.readable = readable;
+
+        if (old !== that.readable) {
+            that.emit('readable-change', { source: that, readable: readable });
+        }
+    };
+
     /**
      * Widget is writable
      * @return {boolean}