From 4a64a1f18bd51c65bf34a13fd7541e1d6b4b75fd Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Tue, 29 Oct 2013 17:01:07 +0100
Subject: Allow anonymous and all permissions

Disallow adding permissions with non-default bindtype to privileges

Ticket: https://fedorahosted.org/freeipa/ticket/4032
Design: http://www.freeipa.org/page/V3/Anonymous_and_All_permissions
---
 ipalib/plugins/permission.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'ipalib/plugins/permission.py')

diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index fef640c3..20457469 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -180,7 +180,7 @@ class permission(baseldap.LDAPObject):
             label=_('Bind rule type'),
             doc=_('Bind rule type'),
             autofill=True,
-            values=(u'permission',),
+            values=(u'permission', u'all', u'anonymous'),
             default=u'permission',
         ),
         DNOrURL(
@@ -775,6 +775,13 @@ class permission_mod(baseldap.LDAPUpdate):
         self.obj.reject_system(old_entry)
         self.obj.upgrade_permission(old_entry)
 
+        # Check setting bindtype for an assigned permission
+        if options.get('ipapermbindruletype') and old_entry.get('member'):
+            raise errors.ValidationError(
+                name='ipapermbindruletype',
+                error=_('cannot set bindtype for a permission that is '
+                        'assigned to a privilege'))
+
         # Since `entry` only contains the attributes we are currently changing,
         # it cannot be used directly to generate an ACI.
         # First we need to copy the original data into it.
-- 
cgit