Raise a more specific error when a user lacks the proper permissions.

The info part of the message will contain details on what permission
failed on what attribute.

ipalib/errors.py

@@ -396,10 +396,6 @@ class DefaultGroup(ConfigurationError):
     """You cannot remove the default users group"""
     faultCode = 1025
 
-class InsufficientAccess(GenericError):
-    """You do not have permission to perform this task"""
-    faultCode = 1027
-
 class InvalidUserPrincipal(GenericError):
     """Invalid user principal"""
     faultCode = 1028

ipalib/errors2.py

@@ -475,6 +475,7 @@ class ACIError(AuthorizationError):
     """
 
     errno = 2100
+    format = _('Insufficient access: %(info)r')
 
 
 

ipaserver/ipaldap.py

@@ -387,6 +387,8 @@ class IPAdmin(SimpleLDAPObject):
                 raise errors2.DuplicateEntry
             else:
                 raise errors.DatabaseError, e
+        except ldap.INSUFFICIENT_ACCESS, e:
+            raise errors2.ACIError(info=e.args[0].get('info',''))
         except ldap.LDAPError, e:
             raise errors.DatabaseError, e
         return True
@@ -428,6 +430,8 @@ class IPAdmin(SimpleLDAPObject):
         # update, making the oldentry stale.
         except ldap.NO_SUCH_ATTRIBUTE:
             raise errors.MidairCollision
+        except ldap.INSUFFICIENT_ACCESS, e:
+            raise errors2.ACIError(info=e.args[0].get('info',''))
         except ldap.LDAPError, e:
             raise errors.DatabaseError, e
         return True
@@ -500,7 +504,7 @@ class IPAdmin(SimpleLDAPObject):
                 self.set_option(ldap.OPT_SERVER_CONTROLS, sctrl)
             self.delete_s(*args)
         except ldap.INSUFFICIENT_ACCESS, e:
-             raise errors.InsufficientAccess, e
+            raise errors2.ACIError(info=e.args[0].get('info',''))
         except ldap.LDAPError, e:
              raise errors.DatabaseError, e
         return True