diff options
| author | Petr Vobornik <pvoborni@redhat.com> | 2014-06-19 17:09:38 +0200 |
|---|---|---|
| committer | Petr Vobornik <pvoborni@redhat.com> | 2014-07-28 10:13:24 +0200 |
| commit | 855c59c7fcbeaa8f1caff6c3e5c61b0524eab53d (patch) | |
| tree | 2059805c97fb8d7eca12ac6990c100ce917adc91 | |
| parent | c475c093c9524353be0fbc1d5690a081b0c56cdc (diff) | |
| download | freeipa-855c59c7fcbeaa8f1caff6c3e5c61b0524eab53d.tar.gz freeipa-855c59c7fcbeaa8f1caff6c3e5c61b0524eab53d.tar.xz freeipa-855c59c7fcbeaa8f1caff6c3e5c61b0524eab53d.zip | |
webui: support wildcard attribute level rights
Reproduction:
* add 'extensibleObject' object class to target object
https://fedorahosted.org/freeipa/ticket/4380
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
| -rw-r--r-- | install/ui/src/freeipa/field.js | 24 |
1 files changed, 15 insertions, 9 deletions
diff --git a/install/ui/src/freeipa/field.js b/install/ui/src/freeipa/field.js index c2e96b392..5905bbab6 100644 --- a/install/ui/src/freeipa/field.js +++ b/install/ui/src/freeipa/field.js @@ -450,6 +450,12 @@ field.field = IPA.field = function(spec) { var writable = true; + function has_write(record, param) { + var rights = record.attributelevelrights[param]; + var has = !!rights && rights.indexOf('w') > -1; + return has; + } + if (that.metadata) { if (that.metadata.primary_key) { writable = false; @@ -460,21 +466,21 @@ field.field = IPA.field = function(spec) { } } - if (record && record.attributelevelrights) { + if (record && record.attributelevelrights && writable) { var rights = record.attributelevelrights[that.acl_param]; - var oc_rights= record.attributelevelrights['objectclass']; - var write_oc = oc_rights && oc_rights.indexOf('w') > -1; + var write_attr = has_write(record, that.acl_param); + var write_all = has_write(record, '*'); - // Some objects in LDAP may not have set proper object class and + // Some objects in LDAP may not have proper object class set and // therefore server doesn't send proper attribute rights. Flag // 'w_if_no_aci' should be used when we want to ensure that UI // shows edit interface in such cases. Usable only when user can // modify object classes. - // For all others, lack of rights means no write. - if ((!rights && !(that.flags.indexOf('w_if_no_aci') > -1 && write_oc)) || - (rights && rights.indexOf('w') < 0)) { - writable = false; - } + var write_oc = has_write(record, 'objectclass'); + var may_add_oc = !rights && write_oc && that.flags.indexOf('w_if_no_aci') > -1; + + // If no rights, change writable to False: + writable = write_attr || write_all || may_add_oc; } that.set_writable(writable); |