freeipa.git/ipalib/plugins/privilege.py, branch webui_isolate FreeIPA patches ipalib: move server-side plugins to ipaserver 2016-06-03T07:00:34+00:00 Jan Cholasta jcholast@redhat.com 2016-04-28T08:30:05+00:00 6e44557b601f769d23ee74555a72e8b5cc62c0c9 Move the remaining plugin code from ipalib.plugins to ipaserver.plugins. Remove the now unused ipalib.plugins package. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com> 
Move the remaining plugin code from ipalib.plugins to ipaserver.plugins.

Remove the now unused ipalib.plugins package.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
ipalib: use relative imports for cross-plugin imports 2016-05-25T14:06:26+00:00 Jan Cholasta jcholast@redhat.com 2016-04-20T13:41:34+00:00 9e3c16e322ffc65e7d0799bcfbadec5df0ce1ad6 This will make it possible to move the plugin modules between ipalib, ipaclient and ipaserver without having to change the imports. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com> 
This will make it possible to move the plugin modules between ipalib,
ipaclient and ipaserver without having to change the imports.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
Remove wildcard imports 2015-12-23T06:59:22+00:00 Martin Basti mbasti@redhat.com 2015-12-16T18:04:20+00:00 e1192ebd975bc17aa600030eecbaed6660dc7733 Wildcard imports should not be used. Check for wildcard imports has been enabled in pylint. Pylint note: options 'wildcard-import' causes too much false positive results, so instead it I used 'unused-wildcard-import' option which has almost the same effect. Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Wildcard imports should not be used.

Check for wildcard imports has been enabled in pylint.
Pylint note: options 'wildcard-import' causes too much false positive
results, so instead it I used 'unused-wildcard-import' option which has almost
the same effect.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Validate adding privilege to a permission 2015-07-17T04:57:54+00:00 Martin Basti mbasti@redhat.com 2015-07-09T14:48:36+00:00 a619a1e211927c27f5c034dec8c1a1bbc03720f2 Adding priviledge to a permission via webUI allowed to avoid check and to add permission with improper type. https://fedorahosted.org/freeipa/ticket/5075 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Adding priviledge to a permission via webUI allowed to avoid check and to add permission
with improper type.

https://fedorahosted.org/freeipa/ticket/5075

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Do not require description in UI. 2014-09-29T10:53:43+00:00 David Kupka dkupka@redhat.com 2014-09-26T06:54:28+00:00 cd9a4cca1fe17998a342fde000ece5bf46d13d27 Description attribute is not required in LDAP schema so there is no reason to require it in UI. Modified tests to reflect this change. https://fedorahosted.org/freeipa/ticket/4387 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
Description attribute is not required in LDAP schema so there is no reason to
require it in UI. Modified tests to reflect this change.

https://fedorahosted.org/freeipa/ticket/4387

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Add several CRUD default permissions 2014-06-24T11:53:41+00:00 Petr Viktorin pviktori@redhat.com 2014-06-23T11:23:49+00:00 175b19bbf85d0aff91c0dec278cb66fce98b469c Add missing Add, Modify, Removedefault permissions to: - automountlocation (Add/Remove only; locations have no data to modify) - privilege - sudocmdgroup (Modify only; the others were present) Related to: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com> 
Add missing Add, Modify, Removedefault permissions to:
- automountlocation (Add/Remove only; locations have
   no data to modify)
- privilege
- sudocmdgroup (Modify only; the others were present)

Related to: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Make sure member* attrs are always granted together in read permissions 2014-06-11T11:21:30+00:00 Petr Viktorin pviktori@redhat.com 2014-06-10T10:31:29+00:00 b6258d08d6c5605b32151654c6259f7c77f1a32b Memberofindirect processing of an entry doesn't work if the user doesn't have rights to any one of these attributes: - member - memberuser - memberhost Add all of these to any read permission that specifies any of them. Add a check to makeaci that will enforce this for any future permissions. Reviewed-By: Martin Kosek <mkosek@redhat.com> 
Memberofindirect processing of an entry doesn't work if the user doesn't
have rights to any one of these attributes:
- member
- memberuser
- memberhost

Add all of these to any read permission that specifies any of them.

Add a check to makeaci that will enforce this for any future permissions.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Make 'permission' the default bind type for managed permissions 2014-06-11T11:21:29+00:00 Petr Viktorin pviktori@redhat.com 2014-06-09T15:59:53+00:00 2f3cdba54620989afba0ce1b423cddb56b841ab3 This reduces typing (or copy/pasting), and draws a bit of attention to any non-default privileges (currently 'any' or 'anonymous'). Leaving the bindtype out by mistake isn't dangerous: by default a permission is not granted to anyone, since it is not included in any priviliges. Reviewed-By: Martin Kosek <mkosek@redhat.com> 
This reduces typing (or copy/pasting), and draws a bit of attention
to any non-default privileges (currently 'any' or 'anonymous').

Leaving the bindtype out by mistake isn't dangerous: by default
a permission is not granted to anyone, since it is not included in
any priviliges.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Add managed read permissions to RBAC objects 2014-04-11T08:17:41+00:00 Petr Viktorin pviktori@redhat.com 2014-03-26T16:11:23+00:00 a185d45d87539559876f7b0b4f75b904339a5b90 Add default read permissions to roles, privileges and permissions. Also add permission to read ACIs. This is required for legacy permissions. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 
Add default read permissions to roles, privileges and permissions.
Also add permission to read ACIs. This is required for legacy permissions.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Allow anonymous and all permissions 2014-01-07T08:56:41+00:00 Petr Viktorin pviktori@redhat.com 2013-10-29T16:01:07+00:00 4a64a1f18bd51c65bf34a13fd7541e1d6b4b75fd Disallow adding permissions with non-default bindtype to privileges Ticket: https://fedorahosted.org/freeipa/ticket/4032 Design: http://www.freeipa.org/page/V3/Anonymous_and_All_permissions 
Disallow adding permissions with non-default bindtype to privileges

Ticket: https://fedorahosted.org/freeipa/ticket/4032
Design: http://www.freeipa.org/page/V3/Anonymous_and_All_permissions