IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-22 15:13:50 -06:00
Code Issues Packages Projects Releases Wiki Activity

config: use context.principal only when it is defined

Browse Source 
In server-like context we use LDAPI connection with auto-binding to LDAP
object based on the UID of the process connecting to LDAPI UNIX domain
socket. This means context.principal is not set and we cannot use it.

Make sure to reject requests unless we are operating as a Directory
Manager in such cases.

Fixes: https://pagure.io/freeipa/issue/9583

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
This commit is contained in:
Alexander Bokovoy 2024-04-26 19:42:29 +03:00 committed by Antonio Torres
parent 3608b2b63d
commit 71d886f071
No known key found for this signature in database
GPG Key ID: 359FAF777296F653
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ipaserver/plugins/config.py
View File

@ -516,7 +516,8 @@ class config_mod(LDAPUpdate):
def _enable_sid(self, ldap, options):
# the user must have the Replication Administrators privilege
privilege = 'Replication Administrators'
if not principal_has_privilege(self.api, context.principal, privilege):
op_account = getattr(context, 'principal', None)
if not principal_has_privilege(self.api, op_account, privilege):
raise errors.ACIError(
info=_("not allowed to enable SID generation"))