summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins/permission.py
diff options
context:
space:
mode:
Diffstat (limited to 'ipalib/plugins/permission.py')
-rw-r--r--ipalib/plugins/permission.py30
1 files changed, 28 insertions, 2 deletions
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index b11efdab0..61aba5260 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -73,9 +73,16 @@ from ipalib.plugins.baseldap import *
from ipalib import api, _, ngettext
from ipalib import Flag, Str, StrEnum
from ipalib.request import context
+from ipalib import errors
ACI_PREFIX=u"permission"
+output_params = (
+ Str('ipapermissiontype',
+ label=_('Permission Type'),
+ ),
+)
+
class permission(LDAPObject):
"""
Permission object.
@@ -83,9 +90,9 @@ class permission(LDAPObject):
container_dn = api.env.container_permission
object_name = 'permission'
object_name_plural = 'permissions'
- object_class = ['groupofnames']
+ object_class = ['groupofnames', 'ipapermission']
default_attributes = ['cn', 'member', 'memberof',
- 'memberindirect',
+ 'memberindirect', 'ipapermissiontype',
]
aci_attributes = ['group', 'permissions', 'attrs', 'type',
'filter', 'subtree', 'targetgroup',
@@ -150,6 +157,17 @@ class permission(LDAPObject):
),
)
+ # Don't allow SYSTEM permissions to be modified or removed
+ def check_system(self, ldap, dn, *keys):
+ try:
+ (dn, entry_attrs) = ldap.get_entry(dn, ['ipapermissiontype'])
+ except errors.NotFound:
+ self.handle_not_found(*keys)
+ if 'ipapermissiontype' in entry_attrs:
+ if 'SYSTEM' in entry_attrs['ipapermissiontype']:
+ return False
+ return True
+
api.register(permission)
@@ -220,6 +238,8 @@ class permission_del(LDAPDelete):
msg_summary = _('Deleted permission "%(value)s"')
def pre_callback(self, ldap, dn, *keys, **options):
+ if not self.obj.check_system(ldap, dn, *keys):
+ raise errors.ACIError(info='A SYSTEM permission may not be removed')
# remove permission even when the underlying ACI is missing
try:
self.api.Command.aci_del(keys[-1], aciprefix=ACI_PREFIX)
@@ -236,8 +256,12 @@ class permission_mod(LDAPUpdate):
"""
msg_summary = _('Modified permission "%(value)s"')
+ has_output_params = LDAPUpdate.has_output_params + output_params
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+ if not self.obj.check_system(ldap, dn, *keys):
+ raise errors.ACIError(info='A SYSTEM permission may not be modified')
+
# check if permission is in LDAP
try:
(dn, attrs) = ldap.get_entry(
@@ -330,6 +354,7 @@ class permission_find(LDAPSearch):
msg_summary = ngettext(
'%(count)d permission matched', '%(count)d permissions matched'
)
+ has_output_params = LDAPSearch.has_output_params + output_params
def post_callback(self, ldap, entries, truncated, *args, **options):
for entry in entries:
@@ -378,6 +403,7 @@ class permission_show(LDAPRetrieve):
"""
Display information about a permission.
"""
+ has_output_params = LDAPRetrieve.has_output_params + output_params
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
try:
aci = self.api.Command.aci_show(keys[-1], aciprefix=ACI_PREFIX)['result']