summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins/permission.py
diff options
context:
space:
mode:
Diffstat (limited to 'ipalib/plugins/permission.py')
-rw-r--r--ipalib/plugins/permission.py11
1 files changed, 7 insertions, 4 deletions
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index be08b148c..65220b6e0 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -689,10 +689,10 @@ class permission(baseldap.LDAPObject):
If true, a dictionary of operations on ipapermtargetfilter is
returned.
These operations must be performed after the existing entry
- is retreived.
+ is retrieved.
The dict has the following keys:
- - remove: list of regular expression objects; values that match
- any of them sould be removed
+ - remove: list of regular expression objects;
+ implicit values that match any of them should be removed
- add: list of values to be added, after any removals
:merge_targetfilter:
If true, the extratargetfilter is copied into ipapermtargetfilter.
@@ -1042,10 +1042,13 @@ class permission_mod(baseldap.LDAPUpdate):
list(filter_attr_info['implicit_targetfilters']))
filter_ops = context.filter_ops
+ old_filter_attr_info = self.obj._get_filter_attr_info(old_entry)
+ old_implicit_filters = old_filter_attr_info['implicit_targetfilters']
removes = filter_ops.get('remove', [])
new_filters = set(
filt for filt in (entry.get('ipapermtargetfilter') or [])
- if not any(rem.match(filt) for rem in removes))
+ if filt not in old_implicit_filters or
+ not any(rem.match(filt) for rem in removes))
new_filters.update(filter_ops.get('add', []))
new_filters.update(options.get('ipapermtargetfilter') or [])
entry['ipapermtargetfilter'] = list(new_filters)
generated by cgit (git 2.34.1) at 2024-06-23 16:30:47 +0000