mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-22 15:13:50 -06:00
server: use context.principal only when it is defined
In server-like context we use LDAPI connection with auto-binding to LDAP object based on the UID of the process connecting to LDAPI UNIX domain socket. This means context.principal is not set and we cannot use it. Make sure to reject requests unless we are operating as a Directory Manager in such cases. Fixes: https://pagure.io/freeipa/issue/9583 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Thomas Woerner <twoerner@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
This commit is contained in:
parent
71d886f071
commit
ab5465639d
@ -934,7 +934,8 @@ class server_conncheck(crud.PKQuery):
|
||||
|
||||
# the user must have the Replication Administrators privilege
|
||||
privilege = u'Replication Administrators'
|
||||
if not principal_has_privilege(self.api, context.principal, privilege):
|
||||
op_account = getattr(context, 'principal', None)
|
||||
if not principal_has_privilege(self.api, op_account, privilege):
|
||||
raise errors.ACIError(
|
||||
info=_("not allowed to perform server connection check"))
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user