diff options
Diffstat (limited to 'ipalib')
| -rw-r--r-- | ipalib/errors.py | 32 | ||||
| -rw-r--r-- | ipalib/plugins/group.py | 16 | ||||
| -rw-r--r-- | ipalib/plugins/user.py | 9 |
3 files changed, 54 insertions, 3 deletions
diff --git a/ipalib/errors.py b/ipalib/errors.py index df4ab4167..407d9f7db 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -1575,6 +1575,38 @@ class DependentEntry(ExecutionError): format = _('%(key)s cannot be deleted because %(label)s %(dependent)s requires it') +class LastMemberError(ExecutionError): + """ + **4308** Raised when an entry being deleted is last member of a protected group + + For example: + >>> raise LastMemberError(key=u'admin', label=u'group', container=u'admins') + Traceback (most recent call last): + ... + LastMemberError: admin cannot be deleted because it is the last member of group admins + + """ + + errno = 4308 + format = _('%(key)s cannot be deleted because it is the last member of %(label)s %(container)s') + + +class ProtectedEntryError(ExecutionError): + """ + **4309** Raised when an entry being deleted is protected + + For example: + >>> raise ProtectedEntryError(label=u'group', key=u'admins', reason=u'privileged group') + Traceback (most recent call last): + ... + ProtectedEntryError: group admins cannot be deleted: privileged group + + """ + + errno = 4309 + format = _('%(label)s %(key)s cannot be deleted: %(reason)s') + + ############################################################################## # 5000 - 5999: Generic errors diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index 13208542c..65657363a 100644 --- a/ipalib/plugins/group.py +++ b/ipalib/plugins/group.py @@ -72,6 +72,8 @@ EXAMPLES: ipa group-show localadmins """) +protected_group_name = u'admins' + class group(LDAPObject): """ Group object. @@ -164,7 +166,9 @@ class group_del(LDAPDelete): group_attrs = self.obj.methods.show( self.obj.get_primary_key_from_dn(dn), all=True )['result'] - + if keys[0] == protected_group_name: + raise errors.ProtectedEntryError(label=_(u'group'), key=keys[0], + reason=_(u'privileged group')) if 'mepmanagedby' in group_attrs: raise errors.ManagedGroupError() return dn @@ -276,6 +280,16 @@ api.register(group_add_member) class group_remove_member(LDAPRemoveMember): __doc__ = _('Remove members from a group.') + def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + if keys[0] == protected_group_name: + result = api.Command.group_show(protected_group_name) + users_left = set(result['result'].get('member_user', [])) + users_deleted = set(options['user']) + if users_left.issubset(users_deleted): + raise errors.LastMemberError(key=sorted(users_deleted)[0], + label=_(u'group'), container=protected_group_name) + return dn + api.register(group_remove_member) diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index b48e68022..7e98bba4c 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -544,8 +544,13 @@ class user_del(LDAPDelete): msg_summary = _('Deleted user "%(value)s"') - def post_callback(self, ldap, dn, *keys, **options): - return True + def pre_callback(self, ldap, dn, *keys, **options): + protected_group_name = u'admins' + result = api.Command.group_show(protected_group_name) + if result['result'].get('member_user', []) == [keys[-1]]: + raise errors.LastMemberError(key=keys[-1], label=_(u'group'), + container=protected_group_name) + return dn api.register(user_del) |