permission plugin: Auto-add operational atttributes to read permissions

The attributes entryusn, createtimestamp, and modifytimestamp should be readable whenever thir entry is, i.e. when we allow reading the objectclass. Automatically add them to every read permission that includes objectclass. https://fedorahosted.org/freeipa/ticket/4534 Reviewed-By: Martin Kosek <mkosek@redhat.com>
2025-02-25 18:55:28 -06:00 · 2014-09-12 09:59:52 +02:00
parent d61fb40542
commit 6ce44c4f05
4 changed files with 96 additions and 43 deletions
--- a/ipatests/test_xmlrpc/test_realmdomains_plugin.py
+++ b/ipatests/test_xmlrpc/test_realmdomains_plugin.py
@@ -66,7 +66,8 @@ class test_realmdomains(Declarative):
                    objectclass=objectclasses.realmdomains,
                    aci=[
                        u'(targetattr = "associateddomain || cn || '
-                            u'objectclass")'
+                            u'createtimestamp || entryusn || '
+                            u'modifytimestamp || objectclass")'
                        u'(targetfilter = "(objectclass=domainrelatedobject)")'
                        u'(version 3.0;acl '
                            u'"permission:System: Read Realm Domains";'