From eb9cb783ee171e2f8e9921399db65280ba9dfd21 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Fri, 17 Dec 2010 15:35:24 -0500 Subject: Catch ACI errors better when adding a permission. We create the aci with the --test flag to test its validity but it doesn't do the same level of tests that actually adding an aci to LDAP does. Catch any syntax errors that get thrown and clean up as best we can. ticket 621 --- ipalib/plugins/permission.py | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) (limited to 'ipalib') diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index 0587564ed..058a2cd3e 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -185,8 +185,21 @@ class permission_add(LDAPCreate): for attr in self.obj.aci_attributes: if attr in result: entry_attrs[attr] = result[attr] + except errors.InvalidSyntax, e: + # A syntax error slipped past our attempt at validation, clean up + self.api.Command.permission_del(keys[-1]) + raise e except Exception, e: - self.api.Command.aci_del(keys[-1]) + # Something bad happened, clean up as much as we can and return + # that error + try: + self.api.Command.permission_del(keys[-1]) + except Exception, ignore: + pass + try: + self.api.Command.aci_del(keys[-1]) + except Exception, ignore: + pass raise e return dn @@ -317,7 +330,7 @@ class permission_find(LDAPSearch): if aci['permission'] == attrs['cn']: found = True break - if not found in aci: + if not found: permission = self.api.Command.permission_show(aci['permission']) attrs = permission['result'] for attr in self.obj.aci_attributes: @@ -325,7 +338,8 @@ class permission_find(LDAPSearch): attrs[attr] = aci[attr] dn = attrs['dn'] del attrs['dn'] - newentries.append((dn, attrs)) + if (dn, attrs) not in entries: + newentries.append((dn, attrs)) return newentries -- cgit