mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-12 09:11:55 -06:00
Explicitly filter options that permission-{add,mod} passes to aci-{add,mod}
Make permission commands not pass options that the underlying ACI commands do not understand. Update tests. Remove some extraneous imports of the `copy` module. https://fedorahosted.org/freeipa/ticket/2885
This commit is contained in:
parent
50ebd1a339
commit
03f247ec86
@ -18,7 +18,6 @@
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
import copy
|
||||
from ipalib import api, _, ngettext
|
||||
from ipalib import Flag, Str
|
||||
from ipalib.request import context
|
||||
|
@ -17,8 +17,6 @@
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
import copy
|
||||
|
||||
from ipalib.plugins.baseldap import *
|
||||
from ipalib import api, _, ngettext
|
||||
from ipalib import Flag, Str, StrEnum
|
||||
@ -189,6 +187,11 @@ class permission(LDAPObject):
|
||||
return False
|
||||
return True
|
||||
|
||||
def filter_aci_attributes(self, options):
|
||||
"""Return option dictionary that only includes ACI attributes"""
|
||||
return dict((k, v) for k, v in options.items() if
|
||||
k in self.aci_attributes)
|
||||
|
||||
api.register(permission)
|
||||
|
||||
|
||||
@ -200,7 +203,7 @@ class permission_add(LDAPCreate):
|
||||
|
||||
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
|
||||
# Test the ACI before going any further
|
||||
opts = copy.copy(options)
|
||||
opts = self.obj.filter_aci_attributes(options)
|
||||
opts['test'] = True
|
||||
opts['permission'] = keys[-1]
|
||||
opts['aciprefix'] = ACI_PREFIX
|
||||
@ -217,7 +220,7 @@ class permission_add(LDAPCreate):
|
||||
|
||||
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
|
||||
# Now actually add the aci.
|
||||
opts = copy.copy(options)
|
||||
opts = self.obj.filter_aci_attributes(options)
|
||||
opts['test'] = False
|
||||
opts['permission'] = keys[-1]
|
||||
opts['aciprefix'] = ACI_PREFIX
|
||||
@ -340,9 +343,7 @@ class permission_mod(LDAPUpdate):
|
||||
raise errors.ValidationError(
|
||||
name='rename',error=_('New name can not be empty'))
|
||||
|
||||
opts = copy.copy(options)
|
||||
for o in ['all', 'raw', 'rights', 'test', 'rename']:
|
||||
opts.pop(o, None)
|
||||
opts = self.obj.filter_aci_attributes(options)
|
||||
setattr(context, 'aciupdate', False)
|
||||
# If there are no options left we don't need to do anything to the
|
||||
# underlying ACI.
|
||||
@ -434,13 +435,11 @@ class permission_find(LDAPSearch):
|
||||
# Now find all the ACIs that match. Once we find them, add any that
|
||||
# aren't already in the list along with their permission info.
|
||||
|
||||
opts = copy.copy(options)
|
||||
opts = self.obj.filter_aci_attributes(options)
|
||||
if aciname:
|
||||
opts['aciname'] = aciname
|
||||
opts['aciprefix'] = ACI_PREFIX
|
||||
# permission ACI attribute is needed
|
||||
opts.pop('raw', None)
|
||||
opts.pop('sizelimit', None)
|
||||
aciresults = self.api.Command.aci_find(*args, **opts)
|
||||
truncated = truncated or aciresults['truncated']
|
||||
results = aciresults['result']
|
||||
|
@ -17,8 +17,6 @@
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
import copy
|
||||
|
||||
from ipalib import api, _, ngettext
|
||||
from ipalib import Flag, Str
|
||||
from ipalib.request import context
|
||||
|
@ -19,7 +19,6 @@
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
from time import gmtime, strftime, strptime
|
||||
import copy
|
||||
import string
|
||||
|
||||
from ipalib import api, errors
|
||||
|
@ -304,6 +304,8 @@ class test_permission(Declarative):
|
||||
'permission_add', [permission2], dict(
|
||||
type=u'user',
|
||||
permissions=u'write',
|
||||
setattr=u'owner=cn=test',
|
||||
addattr=u'owner=cn=test2',
|
||||
)
|
||||
),
|
||||
expected=dict(
|
||||
@ -315,6 +317,7 @@ class test_permission(Declarative):
|
||||
objectclass=objectclasses.permission,
|
||||
type=u'user',
|
||||
permissions=[u'write'],
|
||||
owner=[u'cn=test', u'cn=test2'],
|
||||
),
|
||||
),
|
||||
),
|
||||
@ -482,7 +485,12 @@ class test_permission(Declarative):
|
||||
dict(
|
||||
desc='Update %r' % permission1,
|
||||
command=(
|
||||
'permission_mod', [permission1], dict(permissions=u'read', memberof=u'ipausers')
|
||||
'permission_mod', [permission1], dict(
|
||||
permissions=u'read',
|
||||
memberof=u'ipausers',
|
||||
setattr=u'owner=cn=other-test',
|
||||
addattr=u'owner=cn=other-test2',
|
||||
)
|
||||
),
|
||||
expected=dict(
|
||||
value=permission1,
|
||||
@ -494,6 +502,7 @@ class test_permission(Declarative):
|
||||
type=u'user',
|
||||
permissions=[u'read'],
|
||||
memberof=u'ipausers',
|
||||
owner=[u'cn=other-test', u'cn=other-test2'],
|
||||
),
|
||||
),
|
||||
),
|
||||
|
Loading…
Reference in New Issue
Block a user