From 0824d12c95d840b1787743e8316b0bc0f7ba5284 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Wed, 19 Feb 2014 14:18:58 +0100
Subject: permission-mod: Do not copy member attributes to new entry

Fixes: https://fedorahosted.org/freeipa/ticket/4178
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipalib/plugins/permission.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index d003bcab..deb069d3 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -883,7 +883,9 @@ class permission_mod(baseldap.LDAPUpdate):
         # it cannot be used directly to generate an ACI.
         # First we need to copy the original data into it.
         for key, value in old_entry.iteritems():
-            if key not in options and key != 'cn':
+            if (key not in options and
+                    key != 'cn' and
+                    key not in self.obj.attribute_members):
                 entry.setdefault(key, value)
 
         if not entry.get('ipapermlocation'):
-- 
cgit