From 03b3dbd2ab588c9324400cf301aa32b251f3aa94 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 22 Apr 2008 15:56:45 -0400
Subject: Don't let a user change their own uid. Fix some related errors if
 they try.

440895
---
 ipa-server/ipa-gui/ipagui/proxyprovider.py       | 4 ++--
 ipa-server/ipa-gui/ipagui/subcontrollers/user.py | 7 ++++++-
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/ipa-server/ipa-gui/ipagui/proxyprovider.py b/ipa-server/ipa-gui/ipagui/proxyprovider.py
index 2c55a131..90257d39 100644
--- a/ipa-server/ipa-gui/ipagui/proxyprovider.py
+++ b/ipa-server/ipa-gui/ipagui/proxyprovider.py
@@ -37,14 +37,14 @@ class IPA_User(object):
     def __init__(self, user_name):
         self.user_name = user_name
         (principal, realm) = user_name.split('@')
-        self.display_name = principal
         self.permissions = None
         transport = funcs.IPAServer()
         client = ipa.ipaclient.IPAClient(transport)
         client.set_krbccache(os.environ["KRB5CCNAME"])
         try:
             # Use memberof so we can see recursive group memberships as well.
-            user = client.get_user_by_principal(user_name, ['dn', 'memberof'])
+            user = client.get_user_by_principal(user_name, ['dn', 'uid', 'memberof'])
+            self.display_name = user.getValue('uid')
             self.groups = []
             memberof = user.getValues('memberof')
             if memberof is None:
diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/user.py b/ipa-server/ipa-gui/ipagui/subcontrollers/user.py
index 5baaf3fb..f57a2973 100644
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/user.py
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/user.py
@@ -453,10 +453,15 @@ class UserController(IPAController):
         # the edit URI.
         if ((not 'admins' in turbogears.identity.current.groups and
             not 'editors' in turbogears.identity.current.groups) and 
-            (kw.get('uid') != turbogears.identity.current.display_name)):
+            (kw.get('uid_hidden') != turbogears.identity.current.display_name)):
             turbogears.flash("You do not have permission to update this user.")
             raise turbogears.redirect('/user/show', uid=kw.get('uid'))
 
+        if (kw.get('uid_hidden') == turbogears.identity.current.display_name and
+            kw.get('uid') != kw.get('uid_hidden')):
+            turbogears.flash("You cannot change your own login name.")
+            raise turbogears.redirect('/user/show', uid=kw.get('uid_hidden'))
+
         # Decode the group data, in case we need to round trip
         user_groups_dicts = loads(b64decode(kw.get('user_groups_data')))
 
-- 
cgit