summaryrefslogtreecommitdiffstats
path: root/ipalib
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2011-02-01 11:57:18 -0500
committerRob Crittenden <rcritten@redhat.com>2011-02-01 16:00:41 -0500
commitc6ef39b2c04c7b09848226d7454c983924cbdfed (patch)
treefb6ff2bd54bd9b02699d816ed05a6e79599cfa27 /ipalib
parent685c516e884ead09c7ba7f435e7a63123721833c (diff)
downloadfreeipa-c6ef39b2c04c7b09848226d7454c983924cbdfed.tar.gz
freeipa-c6ef39b2c04c7b09848226d7454c983924cbdfed.tar.xz
freeipa-c6ef39b2c04c7b09848226d7454c983924cbdfed.zip
Add new schema to store information about permissions.
There are some permissions we can't display because they are stored outside of the basedn (such as the replication permissions). We are adding a new attribute to store extra information to make this clear, in this case SYSTEM. ticket 853
Diffstat (limited to 'ipalib')
-rw-r--r--ipalib/plugins/permission.py30
1 files changed, 28 insertions, 2 deletions
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index b11efdab0..61aba5260 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -73,9 +73,16 @@ from ipalib.plugins.baseldap import *
from ipalib import api, _, ngettext
from ipalib import Flag, Str, StrEnum
from ipalib.request import context
+from ipalib import errors
ACI_PREFIX=u"permission"
+output_params = (
+ Str('ipapermissiontype',
+ label=_('Permission Type'),
+ ),
+)
+
class permission(LDAPObject):
"""
Permission object.
@@ -83,9 +90,9 @@ class permission(LDAPObject):
container_dn = api.env.container_permission
object_name = 'permission'
object_name_plural = 'permissions'
- object_class = ['groupofnames']
+ object_class = ['groupofnames', 'ipapermission']
default_attributes = ['cn', 'member', 'memberof',
- 'memberindirect',
+ 'memberindirect', 'ipapermissiontype',
]
aci_attributes = ['group', 'permissions', 'attrs', 'type',
'filter', 'subtree', 'targetgroup',
@@ -150,6 +157,17 @@ class permission(LDAPObject):
),
)
+ # Don't allow SYSTEM permissions to be modified or removed
+ def check_system(self, ldap, dn, *keys):
+ try:
+ (dn, entry_attrs) = ldap.get_entry(dn, ['ipapermissiontype'])
+ except errors.NotFound:
+ self.handle_not_found(*keys)
+ if 'ipapermissiontype' in entry_attrs:
+ if 'SYSTEM' in entry_attrs['ipapermissiontype']:
+ return False
+ return True
+
api.register(permission)
@@ -220,6 +238,8 @@ class permission_del(LDAPDelete):
msg_summary = _('Deleted permission "%(value)s"')
def pre_callback(self, ldap, dn, *keys, **options):
+ if not self.obj.check_system(ldap, dn, *keys):
+ raise errors.ACIError(info='A SYSTEM permission may not be removed')
# remove permission even when the underlying ACI is missing
try:
self.api.Command.aci_del(keys[-1], aciprefix=ACI_PREFIX)
@@ -236,8 +256,12 @@ class permission_mod(LDAPUpdate):
"""
msg_summary = _('Modified permission "%(value)s"')
+ has_output_params = LDAPUpdate.has_output_params + output_params
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+ if not self.obj.check_system(ldap, dn, *keys):
+ raise errors.ACIError(info='A SYSTEM permission may not be modified')
+
# check if permission is in LDAP
try:
(dn, attrs) = ldap.get_entry(
@@ -330,6 +354,7 @@ class permission_find(LDAPSearch):
msg_summary = ngettext(
'%(count)d permission matched', '%(count)d permissions matched'
)
+ has_output_params = LDAPSearch.has_output_params + output_params
def post_callback(self, ldap, entries, truncated, *args, **options):
for entry in entries:
@@ -378,6 +403,7 @@ class permission_show(LDAPRetrieve):
"""
Display information about a permission.
"""
+ has_output_params = LDAPRetrieve.has_output_params + output_params
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
try:
aci = self.api.Command.aci_show(keys[-1], aciprefix=ACI_PREFIX)['result']