From 5b64cde92a84c2e8ad2f99fd139fa5d13598b096 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tbabej@redhat.com>
Date: Mon, 11 Feb 2013 10:19:53 +0100
Subject: Prevent changing protected group's name using --setattr

The name of any protected group now cannot be changed by modifing
the cn attribute using --setattr. Unit tests have been added to
make sure there is no regression.

https://fedorahosted.org/freeipa/ticket/3354
---
 ipalib/plugins/group.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'ipalib/plugins/group.py')

diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index 19404c6f..4994dacb 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -265,7 +265,7 @@ class group_mod(LDAPUpdate):
 
         is_protected_group = keys[-1] in PROTECTED_GROUPS
 
-        if 'rename' in options:
+        if 'rename' in options or 'cn' in entry_attrs:
             if is_protected_group:
                 raise errors.ProtectedEntryError(label=u'group', key=keys[-1],
                     reason=u'Cannot be renamed')
-- 
cgit