Prevent deletion of the last admin

Raise an error when trying to delete the last user in the 'admins' group, or remove the last member from the group, or delete the group itself. https://fedorahosted.org/freeipa/ticket/2564
2025-02-25 18:55:28 -06:00 · 2012-05-23 05:44:53 -04:00
parent cf72738b21
commit f8e7b516d9
5 changed files with 150 additions and 3 deletions
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -72,6 +72,8 @@ EXAMPLES:
   ipa group-show localadmins
 """)

+protected_group_name = u'admins'
+
 class group(LDAPObject):
    """
    Group object.
@@ -164,7 +166,9 @@ class group_del(LDAPDelete):
        group_attrs = self.obj.methods.show(
            self.obj.get_primary_key_from_dn(dn), all=True
        )['result']
-
+        if keys[0] == protected_group_name:
+            raise errors.ProtectedEntryError(label=_(u'group'), key=keys[0],
+                reason=_(u'privileged group'))
        if 'mepmanagedby' in group_attrs:
            raise errors.ManagedGroupError()
        return dn
@@ -276,6 +280,16 @@ api.register(group_add_member)
 class group_remove_member(LDAPRemoveMember):
    __doc__ = _('Remove members from a group.')

+    def pre_callback(self, ldap, dn, found, not_found, *keys, **options):
+        if keys[0] == protected_group_name:
+            result = api.Command.group_show(protected_group_name)
+            users_left = set(result['result'].get('member_user', []))
+            users_deleted = set(options['user'])
+            if users_left.issubset(users_deleted):
+                raise errors.LastMemberError(key=sorted(users_deleted)[0],
+                    label=_(u'group'), container=protected_group_name)
+        return dn
+
 api.register(group_remove_member)