diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2008-02-27 15:14:52 -0500 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2008-02-27 15:14:52 -0500 |
| commit | 999bd4fb1e4f601759b9eb7d40c27ec983c99329 (patch) | |
| tree | 57e792bcca31472414f9e9e771834d53afce6769 /ipa-server/ipa-gui/ipagui/proxyprovider.py | |
| parent | ad8096b51f1f8de2c05a5c53952fcb2cb5bbd116 (diff) | |
| download | freeipa.git-999bd4fb1e4f601759b9eb7d40c27ec983c99329.tar.gz freeipa.git-999bd4fb1e4f601759b9eb7d40c27ec983c99329.tar.xz freeipa.git-999bd4fb1e4f601759b9eb7d40c27ec983c99329.zip | |
In the UI we don't want to display Edit links unless someone can actually
edit things. We use the 'editors' group for this. This group itself grants
no permission other than displaying certain things in the UI.
In order to be in the editors group a user must be a member of a group that
is the source group in a delegation. The memberof plugin will do all the
hard work to be sure that a user's memberof contains cn=editors if they
are in a delegated group.
432874
Diffstat (limited to 'ipa-server/ipa-gui/ipagui/proxyprovider.py')
| -rw-r--r-- | ipa-server/ipa-gui/ipagui/proxyprovider.py | 23 |
1 files changed, 12 insertions, 11 deletions
diff --git a/ipa-server/ipa-gui/ipagui/proxyprovider.py b/ipa-server/ipa-gui/ipagui/proxyprovider.py index ab45a6db..5a145de1 100644 --- a/ipa-server/ipa-gui/ipagui/proxyprovider.py +++ b/ipa-server/ipa-gui/ipagui/proxyprovider.py @@ -24,6 +24,7 @@ from ipaserver import funcs import ipa.config import ipa.group import ipa.user +import ldap log = logging.getLogger("turbogears.identity") @@ -41,18 +42,18 @@ class IPA_User(object): client = ipa.ipaclient.IPAClient(transport) client.set_krbccache(os.environ["KRB5CCNAME"]) try: - user = client.get_user_by_principal(user_name, ['dn']) + # Use memberof so we can see recursive group memberships as well. + user = client.get_user_by_principal(user_name, ['dn', 'memberof']) self.groups = [] - groups = client.get_groups_by_member(user.dn, ['dn', 'cn']) - if isinstance(groups, str): - groups = [groups] - for ginfo in groups: - # cn may be multi-valued, add them all just in case - cn = ginfo.getValue('cn') - if isinstance(cn, str): - cn = [cn] - for c in cn: - self.groups.append(c) + memberof = user.getValues('memberof') + if isinstance(memberof, str): + memberof = [memberof] + for mo in memberof: + rdn_list = ldap.explode_dn(mo, 0) + first_rdn = rdn_list[0] + (type,value) = first_rdn.split('=') + if type == "cn": + self.groups.append(value) except: raise |