Raise better error message for permission added to generated tree

https://fedorahosted.org/freeipa/ticket/4523 Reviewed-By: Thierry bordaz (tbordaz) <tbordaz@redhat.com>
2024-12-26 00:41:25 -06:00 · 2014-10-16 12:40:24 +02:00 · 2014-10-16 12:40:24 +02:00 · 061f7ff331
commit 061f7ff331
parent cf860c7154
1 changed files with 8 additions and 1 deletions
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@ -972,7 +972,7 @@ class permission_add(baseldap.LDAPCreate):
    def post_callback(self, ldap, dn, entry, *keys, **options):
        try:
            self.obj.add_aci(entry)
-        except Exception:
+        except Exception, e:
            # Adding the ACI failed.
            # We want to be 100% sure the ACI is not there, so try to
            # remove it. (This is a no-op if the ACI was not added.)
@ -988,6 +988,13 @@ class permission_add(baseldap.LDAPCreate):
                self.api.Backend['ldap2'].delete_entry(entry)
            except errors.NotFound:
                pass
+            if isinstance(e, errors.NotFound):
+                # add_aci may raise NotFound if the subtree is only virtual
+                # like cn=compat,SUFFIX and thus passes the LDAP get entry test
+                location = DN(entry.single_value['ipapermlocation'])
+                raise errors.ValidationError(
+                    name='ipapermlocation',
+                    error=_('Cannot store permission ACI to %s') % location)
            # Re-raise original exception
            raise
        self.obj.postprocess_result(entry, options)