Special handling for nsaccountlock attribute in user.

nsaccountlock doesn't have a visible Param but we want do so some basic validation to be sure garbage doesn't get in there so do it in the pre_callback of add and mod. ticket 968
2025-02-25 18:55:28 -06:00 · 2011-02-17 11:58:53 -05:00
parent 23234094c3
commit 4211eee992
1 changed files with 8 additions and 0 deletions
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -63,6 +63,12 @@ from ipalib import _, ngettext
 from ipalib.request import context
 from time import gmtime, strftime

+def validate_nsaccountlock(entry_attrs):
+    if 'nsaccountlock' in entry_attrs:
+        if not isinstance(entry_attrs['nsaccountlock'], basestring):
+            raise errors.OnlyOneValueAllowed(attr='nsaccountlock')
+        if entry_attrs['nsaccountlock'].lower() not in ('true','false'):
+            raise errors.ValidationError(name='nsaccountlock', error='must be TRUE or FALSE')

 class user(LDAPObject):
    """
@@ -258,6 +264,7 @@ class user_add(LDAPCreate):
                raise errors.ManagedGroupExistsError(group=keys[-1])
        except errors.NotFound:
            pass
+        validate_nsaccountlock(entry_attrs)
        config = ldap.get_ipa_config()[1]
        if 'ipamaxusernamelength' in config:
            if len(keys[-1]) > int(config.get('ipamaxusernamelength')[0]):
@@ -335,6 +342,7 @@ class user_mod(LDAPUpdate):
    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
        if 'mail' in entry_attrs:
            entry_attrs['mail'] = self.obj._normalize_email(entry_attrs['mail'])
+        validate_nsaccountlock(entry_attrs)
        return dn

    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):