permission-mod: Remove attributelevelrights before reverting entry

LDAPUpdate adds the display-only 'attributelevelrights' attribute, which doesn't exist in LDAP. Remove it before reverting entry. https://fedorahosted.org/freeipa/ticket/4212 Reviewed-By: Martin Kosek <mkosek@redhat.com>
2025-02-25 18:55:28 -06:00 · 2014-03-03 14:46:51 +01:00
parent 4048d412f2
commit 02e61961da
2 changed files with 29 additions and 1 deletions
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -988,6 +988,9 @@ class permission_mod(baseldap.LDAPUpdate):
            else:
                self.obj.update_aci(entry, old_entry.single_value['cn'])
        except Exception:
+            # Don't revert attribute which doesn't exist in LDAP
+            entry.pop('attributelevelrights', None)
+
            self.log.error('Error updating ACI: %s' % traceback.format_exc())
            self.log.warn('Reverting entry')
            old_entry.reset_modlist(entry)
--- a/ipatests/test_xmlrpc/test_permission_plugin.py
+++ b/ipatests/test_xmlrpc/test_permission_plugin.py
@@ -315,7 +315,6 @@ class test_permission_negative(Declarative):
                name='ipapermexcludedattr',
                error='only available on managed permissions'),
        ),
-
    ]


@@ -1631,8 +1630,34 @@ class test_permission_rollback(Declarative):
                        pdn=permission1_dn)),
        ),

+    ] + _verifications + [
+
+        dict(
+            desc='Try adding an invalid attribute on %r with --all --rights' % permission1,
+            command=(
+                'permission_mod', [permission1], dict(
+                    attrs=[u'cn', u'bogusattributexyz'],
+                    rights=True,
+                    all=True,
+                )
+            ),
+            expected=errors.InvalidSyntax(
+                attr=r'targetattr "bogusattributexyz" does not exist '
+                    r'in schema. Please add attributeTypes '
+                    r'"bogusattributexyz" to schema if necessary. ACL Syntax '
+                    r'Error(-5):(targetattr = \22bogusattributexyz || cn\22)'
+                    r'(target = \22ldap:///%(tdn)s\22)'
+                    r'(version 3.0;acl \22permission:%(name)s\22;'
+                    r'allow (write) groupdn = \22ldap:///%(dn)s\22;)' % dict(
+                        tdn=DN('uid=admin', users_dn),
+                        name=permission1,
+                        dn=permission1_dn),
+            ),
+        ),
+
    ] + _verifications

+
 class test_permission_sync_attributes(Declarative):
    """Test the effects of setting permission attributes"""
    cleanup_commands = [