summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins/permission.py
diff options
context:
space:
mode:
Diffstat (limited to 'ipalib/plugins/permission.py')
-rw-r--r--ipalib/plugins/permission.py55
1 files changed, 55 insertions, 0 deletions
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index 08781ce2e..c9fd5649f 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -23,6 +23,7 @@ from ipalib import api, _, ngettext
from ipalib import Flag, Str, StrEnum
from ipalib.request import context
from ipalib import errors
+from ipalib.dn import DN
__doc__ = _("""
Permissions
@@ -89,6 +90,43 @@ output_params = (
),
)
+dn_ipaconfig = str(DN('cn=ipaconfig,cn=etc,%s' % api.env.basedn))
+
+def check_attrs(attrs, type):
+ # Trying to delete attributes - no need for validation
+ if attrs is None:
+ return True
+ allowed_objcls=[]
+ disallowed_objcls=[]
+ obj=api.Object[type]
+
+ if obj.object_class_config:
+ (dn,objcls)=api.Backend.ldap2.get_entry(
+ dn_ipaconfig,[obj.object_class_config]
+ )
+ allowed_objcls=objcls[obj.object_class_config]
+ else:
+ allowed_objcls=obj.object_class
+ if obj.possible_objectclasses:
+ allowed_objcls+=obj.possible_objectclasses
+ if obj.disallow_object_classes:
+ disallowed_objcls=obj.disallow_object_classes
+
+ allowed_attrs=[]
+ disallowed_attrs=[]
+ if allowed_objcls:
+ allowed_attrs=api.Backend.ldap2.get_allowed_attributes(allowed_objcls)
+ if disallowed_objcls:
+ disallowed_attrs=api.Backend.ldap2.get_allowed_attributes(disallowed_objcls)
+ failed_attrs=[]
+ for attr in attrs:
+ if (attr not in allowed_attrs) or (attr in disallowed_attrs):
+ failed_attrs.append(attr)
+ if failed_attrs:
+ raise errors.ObjectclassViolation(info='attribute(s) \"%s\" not allowed' % ','.join(failed_attrs))
+ return True
+
+
class permission(LDAPObject):
"""
Permission object.
@@ -192,6 +230,8 @@ class permission_add(LDAPCreate):
opts['permission'] = keys[-1]
opts['aciprefix'] = ACI_PREFIX
try:
+ if 'type' in entry_attrs and 'attrs' in entry_attrs:
+ check_attrs(entry_attrs['attrs'],entry_attrs['type'])
self.api.Command.aci_add(keys[-1], **opts)
except Exception, e:
raise e
@@ -273,6 +313,21 @@ class permission_mod(LDAPUpdate):
except errors.NotFound:
self.obj.handle_not_found(*keys)
+ # check the correctness of attributes only when the type is specified
+ type=None
+ attrs_to_check=[]
+ current_values=self.api.Command.permission_show(attrs['cn'][0])['result']
+ if 'type' in entry_attrs:
+ type = entry_attrs['type']
+ elif 'type' in current_values:
+ type = current_values['type']
+ if 'attrs' in entry_attrs:
+ attrs_to_check = entry_attrs['attrs']
+ elif 'attrs' in current_values:
+ attrs_to_check = current_values['attrs']
+ if attrs_to_check and type is not None:
+ check_attrs(attrs_to_check,type)
+
# when renaming permission, check if the target permission does not
# exists already. Then, make changes to underlying ACI
if 'rename' in options: