diff options
author | Rob Crittenden <rcritten@redhat.com> | 2011-02-01 11:57:18 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2011-02-01 16:00:41 -0500 |
commit | c6ef39b2c04c7b09848226d7454c983924cbdfed (patch) | |
tree | fb6ff2bd54bd9b02699d816ed05a6e79599cfa27 /ipalib | |
parent | 685c516e884ead09c7ba7f435e7a63123721833c (diff) | |
download | freeipa-c6ef39b2c04c7b09848226d7454c983924cbdfed.tar.gz freeipa-c6ef39b2c04c7b09848226d7454c983924cbdfed.tar.xz freeipa-c6ef39b2c04c7b09848226d7454c983924cbdfed.zip |
Add new schema to store information about permissions.
There are some permissions we can't display because they are stored
outside of the basedn (such as the replication permissions). We
are adding a new attribute to store extra information to make this
clear, in this case SYSTEM.
ticket 853
Diffstat (limited to 'ipalib')
-rw-r--r-- | ipalib/plugins/permission.py | 30 |
1 files changed, 28 insertions, 2 deletions
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index b11efdab0..61aba5260 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -73,9 +73,16 @@ from ipalib.plugins.baseldap import * from ipalib import api, _, ngettext from ipalib import Flag, Str, StrEnum from ipalib.request import context +from ipalib import errors ACI_PREFIX=u"permission" +output_params = ( + Str('ipapermissiontype', + label=_('Permission Type'), + ), +) + class permission(LDAPObject): """ Permission object. @@ -83,9 +90,9 @@ class permission(LDAPObject): container_dn = api.env.container_permission object_name = 'permission' object_name_plural = 'permissions' - object_class = ['groupofnames'] + object_class = ['groupofnames', 'ipapermission'] default_attributes = ['cn', 'member', 'memberof', - 'memberindirect', + 'memberindirect', 'ipapermissiontype', ] aci_attributes = ['group', 'permissions', 'attrs', 'type', 'filter', 'subtree', 'targetgroup', @@ -150,6 +157,17 @@ class permission(LDAPObject): ), ) + # Don't allow SYSTEM permissions to be modified or removed + def check_system(self, ldap, dn, *keys): + try: + (dn, entry_attrs) = ldap.get_entry(dn, ['ipapermissiontype']) + except errors.NotFound: + self.handle_not_found(*keys) + if 'ipapermissiontype' in entry_attrs: + if 'SYSTEM' in entry_attrs['ipapermissiontype']: + return False + return True + api.register(permission) @@ -220,6 +238,8 @@ class permission_del(LDAPDelete): msg_summary = _('Deleted permission "%(value)s"') def pre_callback(self, ldap, dn, *keys, **options): + if not self.obj.check_system(ldap, dn, *keys): + raise errors.ACIError(info='A SYSTEM permission may not be removed') # remove permission even when the underlying ACI is missing try: self.api.Command.aci_del(keys[-1], aciprefix=ACI_PREFIX) @@ -236,8 +256,12 @@ class permission_mod(LDAPUpdate): """ msg_summary = _('Modified permission "%(value)s"') + has_output_params = LDAPUpdate.has_output_params + output_params def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + if not self.obj.check_system(ldap, dn, *keys): + raise errors.ACIError(info='A SYSTEM permission may not be modified') + # check if permission is in LDAP try: (dn, attrs) = ldap.get_entry( @@ -330,6 +354,7 @@ class permission_find(LDAPSearch): msg_summary = ngettext( '%(count)d permission matched', '%(count)d permissions matched' ) + has_output_params = LDAPSearch.has_output_params + output_params def post_callback(self, ldap, entries, truncated, *args, **options): for entry in entries: @@ -378,6 +403,7 @@ class permission_show(LDAPRetrieve): """ Display information about a permission. """ + has_output_params = LDAPRetrieve.has_output_params + output_params def post_callback(self, ldap, dn, entry_attrs, *keys, **options): try: aci = self.api.Command.aci_show(keys[-1], aciprefix=ACI_PREFIX)['result'] |