diff options
author | Rob Crittenden <rcritten@redhat.com> | 2008-02-27 15:14:52 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2008-02-27 15:14:52 -0500 |
commit | 999bd4fb1e4f601759b9eb7d40c27ec983c99329 (patch) | |
tree | 57e792bcca31472414f9e9e771834d53afce6769 /ipa-admintools/ipa-moddelegation | |
parent | ad8096b51f1f8de2c05a5c53952fcb2cb5bbd116 (diff) | |
download | freeipa-999bd4fb1e4f601759b9eb7d40c27ec983c99329.tar.gz freeipa-999bd4fb1e4f601759b9eb7d40c27ec983c99329.tar.xz freeipa-999bd4fb1e4f601759b9eb7d40c27ec983c99329.zip |
In the UI we don't want to display Edit links unless someone can actually
edit things. We use the 'editors' group for this. This group itself grants
no permission other than displaying certain things in the UI.
In order to be in the editors group a user must be a member of a group that
is the source group in a delegation. The memberof plugin will do all the
hard work to be sure that a user's memberof contains cn=editors if they
are in a delegated group.
432874
Diffstat (limited to 'ipa-admintools/ipa-moddelegation')
-rw-r--r-- | ipa-admintools/ipa-moddelegation | 29 |
1 files changed, 26 insertions, 3 deletions
diff --git a/ipa-admintools/ipa-moddelegation b/ipa-admintools/ipa-moddelegation index 773c784d..61aab5e1 100644 --- a/ipa-admintools/ipa-moddelegation +++ b/ipa-admintools/ipa-moddelegation @@ -49,9 +49,9 @@ def main(): if options.list: client = ipaclient.IPAClient() - list = client.get_all_attrs() + l = client.get_all_attrs() - for x in list: + for x in l: print x return 0 @@ -124,12 +124,15 @@ def main(): old_aci = None acistr = None + aci_list = [] for aci_str in aci_str_list: try: old_aci = ipa.aci.ACI(aci_str) if old_aci.name == args[1]: acistr = aci_str - break + orig_group = old_aci.source_group + else: + aci_list.append(old_aci) except SyntaxError: # ignore aci_str's that ACI can't parse pass @@ -162,6 +165,26 @@ def main(): client.update_entry(aci_entry) + if options.source: + last = True + # If this is the last delegation for a group, remove it from editors + for a in aci_list: + if orig_group == a.source_group: + last = False + break + + if last: + group = client.get_entry_by_cn("editors") + client.remove_member_from_group(orig_group, group.dn) + + # Now add to the editors group so they can make changes in the UI + try: + group = client.get_entry_by_cn("editors") + client.add_group_to_group(new_aci.source_group, group.dn) + except ipa.ipaerror.exception_for(ipa.ipaerror.LDAP_EMPTY_MODLIST): + # This is ok, ignore it + pass + print "Delegation %s successfully updated" % args[1] return 0 |