From c6ef39b2c04c7b09848226d7454c983924cbdfed Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 1 Feb 2011 11:57:18 -0500
Subject: Add new schema to store information about permissions.

There are some permissions we can't display because they are stored
outside of the basedn (such as the replication permissions). We
are adding a new attribute to store extra information to make this
clear, in this case SYSTEM.

ticket 853
---
 ipalib/plugins/permission.py | 30 ++++++++++++++++++++++++++++--
 1 file changed, 28 insertions(+), 2 deletions(-)

(limited to 'ipalib')

diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index b11efdab0..61aba5260 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -73,9 +73,16 @@ from ipalib.plugins.baseldap import *
 from ipalib import api, _, ngettext
 from ipalib import Flag, Str, StrEnum
 from ipalib.request import context
+from ipalib import errors
 
 ACI_PREFIX=u"permission"
 
+output_params = (
+    Str('ipapermissiontype',
+        label=_('Permission Type'),
+    ),
+)
+
 class permission(LDAPObject):
     """
     Permission object.
@@ -83,9 +90,9 @@ class permission(LDAPObject):
     container_dn = api.env.container_permission
     object_name = 'permission'
     object_name_plural = 'permissions'
-    object_class = ['groupofnames']
+    object_class = ['groupofnames', 'ipapermission']
     default_attributes = ['cn', 'member', 'memberof',
-        'memberindirect',
+        'memberindirect', 'ipapermissiontype',
     ]
     aci_attributes = ['group', 'permissions', 'attrs', 'type',
         'filter', 'subtree', 'targetgroup',
@@ -150,6 +157,17 @@ class permission(LDAPObject):
         ),
     )
 
+    # Don't allow SYSTEM permissions to be modified or removed
+    def check_system(self, ldap, dn, *keys):
+        try:
+            (dn, entry_attrs) = ldap.get_entry(dn, ['ipapermissiontype'])
+        except errors.NotFound:
+            self.handle_not_found(*keys)
+        if 'ipapermissiontype' in entry_attrs:
+            if 'SYSTEM' in entry_attrs['ipapermissiontype']:
+                return False
+        return True
+
 api.register(permission)
 
 
@@ -220,6 +238,8 @@ class permission_del(LDAPDelete):
     msg_summary = _('Deleted permission "%(value)s"')
 
     def pre_callback(self, ldap, dn, *keys, **options):
+        if not self.obj.check_system(ldap, dn, *keys):
+            raise errors.ACIError(info='A SYSTEM permission may not be removed')
         # remove permission even when the underlying ACI is missing
         try:
             self.api.Command.aci_del(keys[-1], aciprefix=ACI_PREFIX)
@@ -236,8 +256,12 @@ class permission_mod(LDAPUpdate):
     """
 
     msg_summary = _('Modified permission "%(value)s"')
+    has_output_params = LDAPUpdate.has_output_params + output_params
 
     def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+        if not self.obj.check_system(ldap, dn, *keys):
+            raise errors.ACIError(info='A SYSTEM permission may not be modified')
+
         # check if permission is in LDAP
         try:
             (dn, attrs) = ldap.get_entry(
@@ -330,6 +354,7 @@ class permission_find(LDAPSearch):
     msg_summary = ngettext(
         '%(count)d permission matched', '%(count)d permissions matched'
     )
+    has_output_params = LDAPSearch.has_output_params + output_params
 
     def post_callback(self, ldap, entries, truncated, *args, **options):
         for entry in entries:
@@ -378,6 +403,7 @@ class permission_show(LDAPRetrieve):
     """
     Display information about a permission.
     """
+    has_output_params = LDAPRetrieve.has_output_params + output_params
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
         try:
             aci = self.api.Command.aci_show(keys[-1], aciprefix=ACI_PREFIX)['result']
-- 
cgit