From 41607774bc6146f83496bd469d59595261e314a7 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Thu, 10 Apr 2014 12:24:41 +0200 Subject: Add mechanism for adding default permissions to privileges Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek --- ipaserver/install/plugins/update_managed_permissions.py | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'ipaserver/install') diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py index d938eecf1..efd87d0d1 100644 --- a/ipaserver/install/plugins/update_managed_permissions.py +++ b/ipaserver/install/plugins/update_managed_permissions.py @@ -51,6 +51,9 @@ The template dictionary can have the following keys: * ipapermdefaultattr - Used as attribute of the permission. - When upgrading, only new values are added; all old values are kept. +* default_privileges + - Names of privileges to add the permission to + - Only applied on newly created permissions * replaces_global_anonymous_aci - If true, any attributes specified (denied) in the legacy global anonymous read ACI will be added to excluded_attributes of the new permission. @@ -200,6 +203,14 @@ class update_managed_permissions(PostUpdate): entry['ipapermright'] = list(template.pop('ipapermright')) + default_privileges = template.pop('default_privileges', None) + if is_new and default_privileges: + entry['member'] = list( + DN(('cn', privilege_name), + self.api.env.container_privilege, + self.api.env.basedn) + for privilege_name in default_privileges) + # Add to the set of default attributes attributes = set(template.pop('ipapermdefaultattr', ())) attributes.update(entry.get('ipapermdefaultattr', ())) -- cgit