mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-25 15:46:30 -06:00
idviews: Enforce objectclass check in idoverride*-del
Even with anchor to sid type checking, it would be still possible to delete a user ID override by specifying a group raw anchor and vice versa. This patch introduces a objectclass check in idoverride*-del commands to prevent that. https://fedorahosted.org/freeipa/ticket/5029 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
parent
e0d3231f07
commit
aa066f31a5
@ -718,6 +718,25 @@ class baseidoverride_del(LDAPDelete):
|
||||
|
||||
takes_options = LDAPDelete.takes_options + (fallback_to_ldap_option,)
|
||||
|
||||
def pre_callback(self, ldap, dn, *keys, **options):
|
||||
assert isinstance(dn, DN)
|
||||
|
||||
# Make sure the entry we're deleting has all the objectclasses
|
||||
# this object requires
|
||||
try:
|
||||
entry = ldap.get_entry(dn, ['objectclass'])
|
||||
except errors.NotFound:
|
||||
self.obj.handle_not_found(*keys)
|
||||
|
||||
required_object_classes = set(self.obj.object_class)
|
||||
actual_object_classes = set(entry['objectclass'])
|
||||
|
||||
# If not, treat it as a failed search
|
||||
if not required_object_classes.issubset(actual_object_classes):
|
||||
self.obj.handle_not_found(*keys)
|
||||
|
||||
return dn
|
||||
|
||||
|
||||
class baseidoverride_mod(LDAPUpdate):
|
||||
__doc__ = _('Modify an ID override.')
|
||||
|
Loading…
Reference in New Issue
Block a user