permission-mod: Do not copy member attributes to new entry

Fixes: https://fedorahosted.org/freeipa/ticket/4178 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2025-02-25 18:55:28 -06:00 · 2014-02-19 14:18:58 +01:00 · 2014-02-19 14:18:58 +01:00 · 0824d12c95
commit 0824d12c95
parent 340cbd4a7d
1 changed files with 3 additions and 1 deletions
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@ -883,7 +883,9 @@ class permission_mod(baseldap.LDAPUpdate):
        # it cannot be used directly to generate an ACI.
        # First we need to copy the original data into it.
        for key, value in old_entry.iteritems():
-            if key not in options and key != 'cn':
+            if (key not in options and
+                    key != 'cn' and
+                    key not in self.obj.attribute_members):
                entry.setdefault(key, value)

        if not entry.get('ipapermlocation'):