`memberdenycmd_sudocmd` and `memberdenycmd_sudocmdgroup` tables are now
enabled/disabled based on `cmdcategory` as well.
https://fedorahosted.org/freeipa/ticket/4361
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Interface for setting default group is hidden when user doesn't have
necessary rights or if there is some error while loading the state.
https://fedorahosted.org/freeipa/ticket/4356
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
using browser history when unauthenticated causes transition to
the original and/or preceding facets. But nothing works since
all commands fail due to expired credentials in session.
These changes make sure that user stays on login screen if he misses
valid session credentials while he wants to switch to facet which
requires authentication.
https://fedorahosted.org/freeipa/ticket/4353
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Dialog instances no longer directly call IPA.opened_dialog methods. It's
handled through events (decoupled from dialog's POV). IPA.open_dialogs
with assistance of ApplicationController makes sure that there is only
one dialog opened at the same time.
It also makes sure to hide all dialogs, which are not global dialogs and
did not originate from current facet, when switching facets.
https://fedorahosted.org/freeipa/ticket/4348
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Memberofindirect processing of an entry doesn't work if the user doesn't
have rights to any one of these attributes:
- member
- memberuser
- memberhost
Add all of these to any read permission that specifies any of them.
Add a check to makeaci that will enforce this for any future permissions.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This reduces typing (or copy/pasting), and draws a bit of attention
to any non-default privileges (currently 'any' or 'anonymous').
Leaving the bindtype out by mistake isn't dangerous: by default
a permission is not granted to anyone, since it is not included in
any priviliges.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
The ACI.txt file is a list all managed permissions in ACI form.
Similarly to API.txt, it ensures that changes are not made lightly,
since modifications must be reflected in ACI.txt and committed to Git.
Add a script, makeaci, which parallels makeapi: it recreates or
validates ACI.txt.
Call makeaci --validate before the build, just after API.txt is validated.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
there is only one top level item -> no point of having this level.
This patch replaces top level with second menu level
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
GID field should be enabled by default since the default group is posix.
Was caused by option_widget_base not properly reporting value change while
selecting the default value. It has to be notified with delay otherwise the
event is consumed by FieldBinder.
https://fedorahosted.org/freeipa/ticket/4325
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
- Add nsAccountLock to the Unlock user accounts permission
- Add member to Read User Membership
- Add userClass and preferredLanguage to Modify Users
https://fedorahosted.org/freeipa/ticket/3697
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This handles the case where IPA's default ACIs changed in something else
than just attribute lists.
In this case we can narrow the set of ACIs we think the user might be
upgrading from.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
When the strings are changed again, translators will only need to
re-translate the modified parts.
See: https://fedorahosted.org/freeipa/ticket/3587
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Now buttons have normal button appearance instead of link button.
Partially fixes: https://fedorahosted.org/freeipa/ticket/4258 since the disabling is done through button's disabled attribute.
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Sometimes Chrome dirver has issues with clicking on items. This patch
is making it more solid. Better error reporting added for cases where
it doesn't help.
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>