From 855c59c7fcbeaa8f1caff6c3e5c61b0524eab53d Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvoborni@redhat.com>
Date: Thu, 19 Jun 2014 17:09:38 +0200
Subject: webui: support wildcard attribute level rights

Reproduction:
* add 'extensibleObject' object class to target object

https://fedorahosted.org/freeipa/ticket/4380

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
---
 install/ui/src/freeipa/field.js | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

(limited to 'install/ui/src/freeipa/field.js')

diff --git a/install/ui/src/freeipa/field.js b/install/ui/src/freeipa/field.js
index c2e96b392..5905bbab6 100644
--- a/install/ui/src/freeipa/field.js
+++ b/install/ui/src/freeipa/field.js
@@ -450,6 +450,12 @@ field.field = IPA.field = function(spec) {
 
         var writable = true;
 
+        function has_write(record, param) {
+            var rights = record.attributelevelrights[param];
+            var has = !!rights && rights.indexOf('w') > -1;
+            return has;
+        }
+
         if (that.metadata) {
             if (that.metadata.primary_key) {
                 writable = false;
@@ -460,21 +466,21 @@ field.field = IPA.field = function(spec) {
             }
         }
 
-        if (record && record.attributelevelrights) {
+        if (record && record.attributelevelrights && writable) {
             var rights = record.attributelevelrights[that.acl_param];
-            var oc_rights= record.attributelevelrights['objectclass'];
-            var write_oc = oc_rights && oc_rights.indexOf('w') > -1;
+            var write_attr = has_write(record, that.acl_param);
+            var write_all = has_write(record, '*');
 
-            // Some objects in LDAP may not have set proper object class and
+            // Some objects in LDAP may not have proper object class set and
             // therefore server doesn't send proper attribute rights. Flag
             // 'w_if_no_aci' should be used when we want to ensure that UI
             // shows edit interface in such cases. Usable only when user can
             // modify object classes.
-            // For all others, lack of rights means no write.
-            if ((!rights && !(that.flags.indexOf('w_if_no_aci') > -1 && write_oc)) ||
-                 (rights && rights.indexOf('w') < 0)) {
-                writable = false;
-            }
+            var write_oc = has_write(record, 'objectclass');
+            var may_add_oc = !rights && write_oc && that.flags.indexOf('w_if_no_aci') > -1;
+
+            // If no rights, change writable to False:
+            writable = write_attr || write_all || may_add_oc;
         }
 
         that.set_writable(writable);
-- 
cgit