Fix permission validation and normalization in aci.py

The code split the permission string on commas, essentially doing
poor man's CSV parsing. So if a permission contained a
comma-separated list of valid permissions, validation would pass
but we'd get errors later.

https://fedorahosted.org/freeipa/ticket/3420

1 files changed, 10 insertions, 13 deletions

diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py
index a97bb48b0..665a7ec46 100644
--- a/ipalib/plugins/aci.py
+++ b/ipalib/plugins/aci.py
@@ -392,21 +392,18 @@ def _find_aci_by_name(acis, aciprefix, aciname):
             return a
     raise errors.NotFound(reason=_('ACI with name "%s" not found') % aciname)
 
-def validate_permissions(ugettext, permissions):
-    valid_permissions = []
-    permissions = permissions.split(',')
-    for p in permissions:
-        p = p.strip().lower()
-        if not p in _valid_permissions_values:
-             return '"%s" is not a valid permission' % p
 
-def _normalize_permissions(permissions):
+def validate_permissions(ugettext, perm):
+    perm = perm.strip().lower()
+    if perm not in _valid_permissions_values:
+        return '"%s" is not a valid permission' % perm
+
+
+def _normalize_permissions(perm):
     valid_permissions = []
-    permissions = permissions.split(',')
-    for p in permissions:
-        p = p.strip().lower()
-        if p not in valid_permissions:
-            valid_permissions.append(p)
+    perm = perm.strip().lower()
+    if perm not in valid_permissions:
+        valid_permissions.append(perm)
     return ','.join(valid_permissions)
 
 _prefix_option = StrEnum('aciprefix',