permissions plugin: Don't crash with empty targetfilter

https://fedorahosted.org/freeipa/ticket/4206 Reviewed-By: Martin Kosek <mkosek@redhat.com>
2025-02-25 18:55:28 -06:00 · 2014-02-28 12:23:17 +01:00 · 2014-02-28 12:23:17 +01:00 · d727599aa8
commit d727599aa8
parent 0c2aec1be5
2 changed files with 48 additions and 1 deletions
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@ -711,7 +711,7 @@ class permission(baseldap.LDAPObject):
            return filter_ops
        elif filter_ops['add']:
            options['ipapermtargetfilter'] = list(options.get(
-                'ipapermtargetfilter', [])) + filter_ops['add']
+                'ipapermtargetfilter') or []) + filter_ops['add']

    def validate_permission(self, entry):
        ldap = self.Backend.ldap2
--- a/ipatests/test_xmlrpc/test_permission_plugin.py
+++ b/ipatests/test_xmlrpc/test_permission_plugin.py
@ -3295,4 +3295,51 @@ class test_permission_filters(Declarative):
            '(version 3.0;acl "permission:%s";' % permission1 +
            'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
        ),
+
+        dict(
+            desc='Delete %r' % permission1,
+            command=('permission_del', [permission1], {}),
+            expected=dict(
+                result=dict(failed=u''),
+                value=permission1,
+                summary=u'Deleted permission "%s"' % permission1,
+            )
+        ),
+
+        verify_permission_aci_missing(permission1, api.env.basedn),
+
+        dict(
+            desc='Create %r with empty filters [#4206]' % permission1,
+            command=(
+                'permission_add', [permission1], dict(
+                    type=u'user',
+                    ipapermright=u'write',
+                    ipapermtargetfilter=u'',
+                )
+            ),
+            expected=dict(
+                value=permission1,
+                summary=u'Added permission "%s"' % permission1,
+                result=dict(
+                    dn=permission1_dn,
+                    cn=[permission1],
+                    objectclass=objectclasses.permission,
+                    type=[u'user'],
+                    ipapermright=[u'write'],
+                    ipapermbindruletype=[u'permission'],
+                    ipapermissiontype=[u'SYSTEM', u'V2'],
+                    ipapermlocation=[users_dn],
+                    ipapermtargetfilter=[
+                        u'(objectclass=posixaccount)',
+                    ],
+                ),
+            ),
+        ),
+
+        verify_permission_aci(
+            permission1, users_dn,
+            '(targetfilter = "(objectclass=posixaccount)")' +
+            '(version 3.0;acl "permission:%s";' % permission1 +
+            'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
+        ),
    ]