diff options
author | Vincent Untz <vuntz@suse.com> | 2012-06-26 17:04:08 +0200 |
---|---|---|
committer | Vincent Untz <vuntz@suse.com> | 2012-07-04 07:59:47 +0200 |
commit | 7297afc75dd94771d5054daa20b1aa10aa5667d2 (patch) | |
tree | f735c000e6fddc52f11da2da42f1980ae4f8d335 /keystone/common/ldap/fakeldap.py | |
parent | f584c06aaa3ecb774f6aa68eb72cebd59f772fad (diff) | |
download | keystone-7297afc75dd94771d5054daa20b1aa10aa5667d2.tar.gz keystone-7297afc75dd94771d5054daa20b1aa10aa5667d2.tar.xz keystone-7297afc75dd94771d5054daa20b1aa10aa5667d2.zip |
Return a 409 error when adding a second time a role to user/tenant
Fix bug 999594.
When a user/tenant pair already has a role and there is a request to add
the role to the pair, we can choose to either return 200 and let the
client feel it's alright to do so, or return a 409 error (Conflict) to
inform the client of the pre-existing role for the pair. I feel the
latter is a bit more appropriate.
The KVS and the pam backends were simply accepting the request, while
the LDAP backend was raising an error. So be consistent, and always
return 409.
Change-Id: I7328d2932f6907d48e6422674eeeee22dc7a7149
Diffstat (limited to 'keystone/common/ldap/fakeldap.py')
-rw-r--r-- | keystone/common/ldap/fakeldap.py | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/keystone/common/ldap/fakeldap.py b/keystone/common/ldap/fakeldap.py index 0da83189..77d2bfe4 100644 --- a/keystone/common/ldap/fakeldap.py +++ b/keystone/common/ldap/fakeldap.py @@ -233,6 +233,8 @@ class FakeLdap(object): for cmd, k, v in attrs: values = entry.setdefault(k, []) if cmd == ldap.MOD_ADD: + if v in values: + raise ldap.TYPE_OR_VALUE_EXISTS if isinstance(v, list): values += v else: |