prevent last admin from being disabled

We prevent the last member of the admin group from being deleted. The same check needs to be performed when disabling a user. * Moved the code in del_user to the common subroutine check_protected_member() and call it from both user_del and user_disable. Note, unlike user_del user_disable does not have a 'pre' callback therefore the check function is called in user_disable's execute routine. * Make check_protected_member() aware of disabled members. It's not sufficient to check which members of the protected group are present, one must only consider those members which are enabled. * Add tests to test_user_plugin.py. - verify you cannot delete nor disable the last member of the admin group - verify when the admin group contains disabled users in addition to enabled users only the enabled users are considered when determining if the last admin is about to be disabled or deleted. * Replace duplicated hardcoded values in the tests with variables or subroutines, this makes the individual tests a bit more succinct and easier to copy/modify. * Update error msg to reflect either deleting or disabling is an error. https://fedorahosted.org/freeipa/ticket/2979
author: John Dennis <jdennis@redhat.com> 2012-08-16 20:28:44 -0400
committer: Martin Kosek <mkosek@redhat.com> 2012-09-03 18:11:49 +0200
commit: 4f03aed5e603389bbb149464eee597180470ad70 (patch)
tree: d6a4caf1214ac130bc68d0aac5bd038e2db1f0a6 /ipalib/errors.py
parent: 557b2605503738f25d9c89e8b51d1832b24d5636 (diff)
download: freeipa-4f03aed5e603389bbb149464eee597180470ad70.tar.gz
freeipa-4f03aed5e603389bbb149464eee597180470ad70.tar.xz
freeipa-4f03aed5e603389bbb149464eee597180470ad70.zip
1 files changed, 3 insertions, 3 deletions
diff --git a/ipalib/errors.py b/ipalib/errors.py
index c25560b8e..1bff2acbb 100644
--- a/ipalib/errors.py
+++ b/ipalib/errors.py
@@ -1627,18 +1627,18 @@ class DependentEntry(ExecutionError):
 
 class LastMemberError(ExecutionError):
     """
-    **4308** Raised when an entry being deleted is last member of a protected group
+    **4308** Raised when an entry being deleted or disabled is last member of a protected group
 
     For example:
     >>> raise LastMemberError(key=u'admin', label=u'group', container=u'admins')
     Traceback (most recent call last):
       ...
-    LastMemberError: admin cannot be deleted because it is the last member of group admins
+    LastMemberError: admin cannot be deleted or disabled because it is the last member of group admins
 
     """
 
     errno = 4308
-    format = _('%(key)s cannot be deleted because it is the last member of %(label)s %(container)s')
+    format = _('%(key)s cannot be deleted or disabled because it is the last member of %(label)s %(container)s')
 
 
 class ProtectedEntryError(ExecutionError):
author	John Dennis <jdennis@redhat.com>	2012-08-16 20:28:44 -0400
committer	Martin Kosek <mkosek@redhat.com>	2012-09-03 18:11:49 +0200
commit	4f03aed5e603389bbb149464eee597180470ad70 (patch)
tree	d6a4caf1214ac130bc68d0aac5bd038e2db1f0a6 /ipalib/errors.py
parent	557b2605503738f25d9c89e8b51d1832b24d5636 (diff)
download	freeipa-4f03aed5e603389bbb149464eee597180470ad70.tar.gz freeipa-4f03aed5e603389bbb149464eee597180470ad70.tar.xz freeipa-4f03aed5e603389bbb149464eee597180470ad70.zip