summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins/permission.py
diff options
context:
space:
mode:
Diffstat (limited to 'ipalib/plugins/permission.py')
-rw-r--r--ipalib/plugins/permission.py8
1 files changed, 8 insertions, 0 deletions
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index 9e254a99b..9028f0248 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -503,6 +503,14 @@ class permission(baseldap.LDAPObject):
def get_effective_attrs(self, entry):
attrs = set(entry.get('ipapermdefaultattr', ()))
attrs.update(entry.get('ipapermincludedattr', ()))
+ if ('read' in entry.get('ipapermright', ()) and
+ 'objectclass' in (x.lower() for x in attrs)):
+ # Add special-cased operational attributes
+ # We want to allow reading these whenever reading the objectclass
+ # is allowed.
+ # (But they can still be excluded explicitly, at least in managed
+ # permissions).
+ attrs.update((u'entryusn', u'createtimestamp', u'modifytimestamp'))
attrs.difference_update(entry.get('ipapermexcludedattr', ()))
return sorted(attrs)
generated by cgit (git 2.34.1) at 2024-04-25 16:51:22 +0000