permission plugin: Do not add the ipapermissionv2 for output

As with the flags, the objectclass should be returned as it is
on the entry.

https://fedorahosted.org/freeipa/ticket/4257

Reviewed-By: Martin Kosek <mkosek@redhat.com>

1 files changed, 4 insertions, 5 deletions

diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index cc842a68b..1697311d8 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -624,7 +624,7 @@ class permission(baseldap.LDAPObject):
             from the ACI corresponding to ``entry``.
             If None, ``entry`` itself is filled
         :param output_only:
-            If true, the flags are not updated to V2.
+            If true, the flags & objectclass are not updated to V2.
             Used for the -find and -show commands.
         :param cached_acientry:
             Optional pre-retreived entry that contains the existing ACI.
@@ -665,10 +665,9 @@ class permission(baseldap.LDAPObject):
 
         if not output_only:
             target_entry['ipapermissiontype'] = ['SYSTEM', 'V2']
-
-        if 'ipapermissionv2' not in entry['objectclass']:
-            target_entry['objectclass'] = list(entry['objectclass']) + [
-                u'ipapermissionv2']
+            if 'ipapermissionv2' not in entry['objectclass']:
+                target_entry['objectclass'] = list(entry['objectclass']) + [
+                    u'ipapermissionv2']
 
         target_entry['ipapermlocation'] = [self.api.env.basedn]