Disallow deletion of global password policy.

ticket 1936
2025-01-11 08:41:55 -06:00 · 2011-10-11 14:28:17 +02:00 · 2011-10-11 14:28:17 +02:00 · c0879cd00b
commit c0879cd00b
parent 89b869d2c2
2 changed files with 21 additions and 0 deletions
--- a/ipalib/plugins/pwpolicy.py
+++ b/ipalib/plugins/pwpolicy.py
@ -366,6 +366,14 @@ class pwpolicy_del(LDAPDelete):
            attribute=True, required=True, multivalue=True
        )

+    def pre_callback(self, ldap, dn, *keys, **options):
+        if dn.lower() == global_policy_dn.lower():
+            raise errors.ValidationError(
+                name='group',
+                error=_('cannot delete global password policy')
+            )
+        return dn
+
    def post_callback(self, ldap, dn, *keys, **options):
        try:
            self.api.Command.cosentry_del(keys[-1])
--- a/tests/test_xmlrpc/test_pwpolicy.py
+++ b/tests/test_xmlrpc/test_pwpolicy.py
@ -36,6 +36,7 @@ class test_pwpolicy(XMLRPC_test):
    user = u'testuser12'
    kw = {'cospriority': 1, 'krbminpwdlife': 30, 'krbmaxpwdlife': 40, 'krbpwdhistorylength': 5, 'krbpwdminlength': 6 }
    kw2 = {'cospriority': 2, 'krbminpwdlife': 40, 'krbmaxpwdlife': 60, 'krbpwdhistorylength': 8, 'krbpwdminlength': 9 }
+    global_policy = u'global_policy'

    def test_1_pwpolicy_add(self):
        """
@ -173,6 +174,18 @@ class test_pwpolicy(XMLRPC_test):
        else:
            assert False

+        # Verify that global policy cannot be deleted
+        try:
+            api.Command['pwpolicy_del'](self.global_policy)
+        except errors.ValidationError:
+            pass
+        else:
+            assert False
+        try:
+            api.Command['pwpolicy_show'](self.global_policy)
+        except errors.NotFound:
+            assert False
+
        # Remove the groups we created
        api.Command['group_del'](self.group)
        api.Command['group_del'](self.group2)