permission plugin: Do not change extra target filters by "views"

Previously, setting/deleting the "--type" virtual attribute removed all (objectclass=...) target filters. Change so that only the filter associated with --type is removed. The same change applies to --memberof: only filters associated with the option are removed when --memberof is (un-)set. Follow-up to https://fedorahosted.org/freeipa/ticket/4216 Reviewed-By: Martin Kosek <mkosek@redhat.com>
2025-02-25 18:55:28 -06:00 · 2014-03-07 16:29:47 +01:00
parent 9f1c3d06bd
commit 64cc4d81cc
2 changed files with 172 additions and 4 deletions
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -689,10 +689,10 @@ class permission(baseldap.LDAPObject):
            If true, a dictionary of operations on ipapermtargetfilter is
            returned.
            These operations must be performed after the existing entry
-            is retreived.
+            is retrieved.
            The dict has the following keys:
-                - remove: list of regular expression objects; values that match
-                    any of them sould be removed
+                - remove: list of regular expression objects;
+                    implicit values that match any of them should be removed
                - add: list of values to be added, after any removals
        :merge_targetfilter:
            If true, the extratargetfilter is copied into ipapermtargetfilter.
@@ -1042,10 +1042,13 @@ class permission_mod(baseldap.LDAPUpdate):
                list(filter_attr_info['implicit_targetfilters']))

        filter_ops = context.filter_ops
+        old_filter_attr_info = self.obj._get_filter_attr_info(old_entry)
+        old_implicit_filters = old_filter_attr_info['implicit_targetfilters']
        removes = filter_ops.get('remove', [])
        new_filters = set(
            filt for filt in (entry.get('ipapermtargetfilter') or [])
-            if not any(rem.match(filt) for rem in removes))
+            if filt not in old_implicit_filters or
+                not any(rem.match(filt) for rem in removes))
        new_filters.update(filter_ops.get('add', []))
        new_filters.update(options.get('ipapermtargetfilter') or [])
        entry['ipapermtargetfilter'] = list(new_filters)