From a76c92ccd44ff0a28b789fdbfed5cf45d164eb80 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tbabej@redhat.com>
Date: Tue, 21 Jul 2015 12:44:37 +0200
Subject: idviews: Check for the Default Trust View only if applying the view

Currently, the code wrongly validates the idview-unapply command. Move
check for the forbidden application of the Default Trust View into
the correct logical branch.

https://fedorahosted.org/freeipa/ticket/4969

Reviewed-By: Martin Basti <mbasti@redhat.com>
---
 ipalib/plugins/idviews.py | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py
index 4a1416224..48f646b81 100644
--- a/ipalib/plugins/idviews.py
+++ b/ipalib/plugins/idviews.py
@@ -256,17 +256,19 @@ class baseidview_apply(LDAPQuery):
         if not options.get('clear_view', False):
             view_dn = self.api.Object['idview'].get_dn_if_exists(view)
             assert isinstance(view_dn, DN)
+
+            # Check that we're not applying the Default Trust View
+            if view.lower() == DEFAULT_TRUST_VIEW_NAME:
+                raise errors.ValidationError(
+                    name=_('ID View'),
+                    error=_('Default Trust View cannot be applied on hosts')
+                )
+
         else:
             # In case we are removing assigned view, we modify the host setting
             # the ipaAssignedIDView to None
             view_dn = None
 
-        if view.lower() == DEFAULT_TRUST_VIEW_NAME:
-            raise errors.ValidationError(
-                name=_('ID View'),
-                error=_('Default Trust View cannot be applied on hosts')
-            )
-
         completed = 0
         succeeded = {'host': []}
         failed = {
-- 
cgit