diff options
Diffstat (limited to 'ipalib/plugins/privilege.py')
-rw-r--r-- | ipalib/plugins/privilege.py | 51 |
1 files changed, 26 insertions, 25 deletions
diff --git a/ipalib/plugins/privilege.py b/ipalib/plugins/privilege.py index 867544359..ffb903e03 100644 --- a/ipalib/plugins/privilege.py +++ b/ipalib/plugins/privilege.py @@ -45,6 +45,31 @@ See role and permission for additional information. register = Registry() +def validate_permission_to_privilege(api, permission): + ldap = api.Backend.ldap2 + ldapfilter = ldap.combine_filters(rules='&', filters=[ + '(objectClass=ipaPermissionV2)', '(!(ipaPermBindRuleType=permission))', + ldap.make_filter_from_attr('cn', permission, rules='|')]) + try: + entries, truncated = ldap.find_entries( + filter=ldapfilter, + attrs_list=['cn', 'ipapermbindruletype'], + base_dn=DN(api.env.container_permission, api.env.basedn), + size_limit=1) + except errors.NotFound: + pass + else: + entry = entries[0] + message = _('cannot add permission "%(perm)s" with bindtype ' + '"%(bindtype)s" to a privilege') + raise errors.ValidationError( + name='permission', + error=message % { + 'perm': entry.single_value['cn'], + 'bindtype': entry.single_value.get( + 'ipapermbindruletype', 'permission')}) + + @register() class privilege(LDAPObject): """ @@ -185,31 +210,7 @@ class privilege_add_permission(LDAPAddReverseMember): if options.get('permission'): # We can only add permissions with bind rule type set to # "permission" (or old-style permissions) - ldapfilter = ldap.combine_filters(rules='&', filters=[ - '(objectClass=ipaPermissionV2)', - '(!(ipaPermBindRuleType=permission))', - ldap.make_filter_from_attr('cn', options['permission'], - rules='|'), - ]) - try: - entries, truncated = ldap.find_entries( - filter=ldapfilter, - attrs_list=['cn', 'ipapermbindruletype'], - base_dn=DN(self.api.env.container_permission, - self.api.env.basedn), - size_limit=1) - except errors.NotFound: - pass - else: - entry = entries[0] - message = _('cannot add permission "%(perm)s" with bindtype ' - '"%(bindtype)s" to a privilege') - raise errors.ValidationError( - name='permission', - error=message % { - 'perm': entry.single_value['cn'], - 'bindtype': entry.single_value.get( - 'ipapermbindruletype', 'permission')}) + validate_permission_to_privilege(self.api, options['permission']) return dn |