From 1e46c0a36159c990e083f771de2c0a18ecdbc42e Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Wed, 26 Mar 2014 17:11:23 +0100
Subject: Add managed read permissions to automember

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
---
 install/updates/40-delegation.update |  7 +++++++
 ipalib/plugins/automember.py         | 29 +++++++++++++++++++++++++++++
 2 files changed, 36 insertions(+)

diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index 6ab849bf8..69061ca3d 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -415,3 +415,10 @@ default:objectClass: groupofnames
 default:objectClass: top
 default:cn: Kerberos Ticket Policy Readers
 default:description: Read global and per-user Kerberos ticket policy
+
+dn: cn=Automember Readers,cn=privileges,cn=pbac,$SUFFIX
+default:objectClass: nestedgroup
+default:objectClass: groupofnames
+default:objectClass: top
+default:cn: Automember Readers
+default:description: Read Automember definitions
diff --git a/ipalib/plugins/automember.py b/ipalib/plugins/automember.py
index 4b3f6f06f..dad35d458 100644
--- a/ipalib/plugins/automember.py
+++ b/ipalib/plugins/automember.py
@@ -183,10 +183,39 @@ class automember(LDAPObject):
     object_name = 'Automember rule'
     object_name_plural = 'Automember rules'
     object_class = ['top', 'automemberregexrule']
+    permission_filter_objectclasses = ['automemberregexrule']
     default_attributes = [
         'automemberinclusiveregex', 'automemberexclusiveregex',
         'cn', 'automembertargetgroup', 'description', 'automemberdefaultgroup'
     ]
+    managed_permissions = {
+        'System: Read Automember Definitions': {
+            'non_object': True,
+            'ipapermlocation': DN(container_dn, api.env.basedn),
+            'ipapermtargetfilter': {'(objectclass=automemberdefinition)'},
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'objectclass', 'cn', 'automemberscope', 'automemberfilter',
+                'automembergroupingattr', 'automemberdefaultgroup',
+                'automemberdisabled',
+            },
+            'default_privileges': {'Automember Readers',
+                                   'Automember Task Administrator'},
+        },
+        'System: Read Automember Rules': {
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'cn', 'objectclass', 'automembertargetgroup', 'description',
+                'automemberexclusiveregex', 'automemberinclusiveregex',
+            },
+            'default_privileges': {'Automember Readers',
+                                   'Automember Task Administrator'},
+        },
+    }
 
     label = _('Auto Membership Rule')
 
-- 
cgit