Revert "Validate attributes in permission-add"

This reverts commit 1356988b7a40a60af39807db143860efb4a2f435.

We are going to take another approach to this. Instead of erroring
out on attributes that don't seem to be allowed we are going to
eventually return a warning.

2 files changed, 0 insertions, 121 deletions

diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index 92203f17..891970d9 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -24,7 +24,6 @@ from ipalib import api, _, ngettext
 from ipalib import Flag, Str, StrEnum
 from ipalib.request import context
 from ipalib import errors
-from ipalib.dn import DN
 
 __doc__ = _("""
 Permissions
@@ -91,44 +90,6 @@ output_params = (
     ),
 )
 
-dn_ipaconfig = str(DN('cn=ipaconfig,cn=etc,%s' % api.env.basedn))
-
-
-def check_attrs(attrs, type):
-    # Trying to delete attributes - no need for validation
-    if attrs is None:
-        return True
-    allowed_objcls=[]
-    disallowed_objcls=[]
-    obj=api.Object[type]
-
-    if obj.object_class_config:
-        (dn,objcls)=api.Backend.ldap2.get_entry(
-            dn_ipaconfig,[obj.object_class_config]
-            )
-        allowed_objcls=objcls[obj.object_class_config]
-    else:
-        allowed_objcls=obj.object_class
-    if obj.possible_objectclasses:
-        allowed_objcls+=obj.possible_objectclasses
-    if obj.disallow_object_classes:
-        disallowed_objcls=obj.disallow_object_classes
-
-    allowed_attrs=[]
-    disallowed_attrs=[]
-    if allowed_objcls:
-        allowed_attrs=api.Backend.ldap2.get_allowed_attributes(allowed_objcls)
-    if disallowed_objcls:
-        disallowed_attrs=api.Backend.ldap2.get_allowed_attributes(disallowed_objcls)
-    failed_attrs=[]
-    for attr in attrs:
-        if (attr not in allowed_attrs) or (attr in disallowed_attrs):
-            failed_attrs.append(attr)
-    if failed_attrs:
-        raise errors.ObjectclassViolation(info='attribute(s) \"%s\" not allowed' % ','.join(failed_attrs))
-    return True
-
-
 class permission(LDAPObject):
     """
     Permission object.
@@ -234,8 +195,6 @@ class permission_add(LDAPCreate):
         opts['permission'] = keys[-1]
         opts['aciprefix'] = ACI_PREFIX
         try:
-            if 'type' in entry_attrs and 'attrs' in entry_attrs:
-                check_attrs(entry_attrs['attrs'],entry_attrs['type'])
             self.api.Command.aci_add(keys[-1], **opts)
         except Exception, e:
             raise e
@@ -317,21 +276,6 @@ class permission_mod(LDAPUpdate):
         except errors.NotFound:
             self.obj.handle_not_found(*keys)
 
-        # check the correctness of attributes only when the type is specified
-        type=None
-        attrs_to_check=[]
-        current_values=self.api.Command.permission_show(attrs['cn'][0])['result']
-        if 'type' in entry_attrs:
-            type = entry_attrs['type']
-        elif 'type' in current_values:
-            type = current_values['type']
-        if 'attrs' in entry_attrs:
-            attrs_to_check = entry_attrs['attrs']
-        elif 'attrs' in current_values:
-            attrs_to_check = current_values['attrs']
-        if attrs_to_check and type is not None:
-            check_attrs(attrs_to_check,type)
-
         # when renaming permission, check if the target permission does not
         # exists already. Then, make changes to underlying ACI
         if 'rename' in options:
diff --git a/tests/test_xmlrpc/test_permission_plugin.py b/tests/test_xmlrpc/test_permission_plugin.py
index d67a427b..14cfcbc7 100644
--- a/tests/test_xmlrpc/test_permission_plugin.py
+++ b/tests/test_xmlrpc/test_permission_plugin.py
@@ -133,71 +133,6 @@ class test_permission(Declarative):
 
 
         dict(
-            desc='Try to create %r with invalid attribute \'ipaclientversion\'' % permission2,
-            command=(
-                'permission_add', [permission2], dict(
-                     type=u'user',
-                     permissions=u'write',
-                     attrs=u'ipaclientversion',
-                ),
-            ),
-            expected=errors.ObjectclassViolation(info=u'attribute(s) \"ipaclientversion\" not allowed'),
-        ),
-
-
-        dict(
-            desc='Add allowed attribute \'cn\' to %r' % permission1,
-            command=(
-                'permission_mod', [permission1], dict(
-                     attrs=u'cn',
-                )
-            ),
-            expected=dict(
-                value=permission1,
-                summary=u'Modified permission "%s"' % permission1,
-                result=dict(
-                    dn=lambda x: DN(x) == permission1_dn,
-                    cn=[permission1],
-                    type=u'user',
-                    permissions=[u'write'],
-                    attrs=[u'cn'],
-                ),
-            ),
-        ),
-
-
-        dict(
-            desc='Try to modify %r with invalid attribute \'ipaclientversion\'' % permission1,
-            command=(
-                'permission_mod', [permission1], dict(
-                     attrs=u'ipaclientversion',
-                ),
-            ),
-            expected=errors.ObjectclassViolation(info=u'attribute(s) \"ipaclientversion\" not allowed'),
-        ),
-
-
-        dict(
-            desc='Unset attribute \'cn\' of %r' % permission1,
-            command=(
-                'permission_mod', [permission1], dict(
-                     attrs=None,
-                )
-            ),
-            expected=dict(
-                value=permission1,
-                summary=u'Modified permission "%s"' % permission1,
-                result=dict(
-                    dn=lambda x: DN(x) == permission1_dn,
-                    cn=[permission1],
-                    type=u'user',
-                    permissions=[u'write'],
-                ),
-            ),
-        ),
-
-
-        dict(
             desc='Create %r' % privilege1,
             command=('privilege_add', [privilege1],
                 dict(description=u'privilege desc. 1')