From 3dae8f18a67185c08dfa52d2e8f7cfcf9b5661b1 Mon Sep 17 00:00:00 2001
From: Pavel Zuna <pzuna@redhat.com>
Date: Tue, 25 Jan 2011 15:25:52 -0500
Subject: Raise ValidationError when adding unallowed attribute to search
 fields.

Ticket #845
---
 ipalib/plugins/config.py | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'ipalib/plugins/config.py')

diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index 438f66385..390542d13 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -195,6 +195,22 @@ class config_mod(LDAPUpdate):
                 api.Command['group_show'](group)
             except errors.NotFound:
                 raise errors.NotFound(message=unicode("The group doesn't exist"))
+        kw = {}
+        if 'ipausersearchfields' in entry_attrs:
+            kw['ipausersearchfields'] = 'ipauserobjectclasses'
+        if 'ipagroupsearchfields' in entry_attrs:
+            kw['ipagroupsearchfields']  = 'ipagroupobjectclasses'
+        if kw:
+            config = ldap.get_ipa_config(kw.values())
+            for (k, v) in kw.iteritems():
+                allowed_attrs = ldap.get_allowed_attributes(config[1][v])
+                fields = entry_attrs[k].split(',')
+                for a in fields:
+                    a = a.strip()
+                    if a not in allowed_attrs:
+                        raise errors.ValidationError(
+                            name=k, error='attribute "%s" not allowed' % a
+                        )
         return dn
 
 api.register(config_mod)
-- 
cgit