LDAPObject sub-classes can define a custom list of attributes for
effective rights retrieval.
Fix #677
Pavel
>From 98b7456f1c4d872e265ea4e8c26ab42e206375e8 Mon Sep 17 00:00:00 2001
From: Pavel Zuna <pz...@redhat.com>
Date: Thu, 30 Dec 2010 08:48:12 -0500
Subject: [PATCH 2/4] Enable custom list of attributes to retrieve effective rights.
Fix #677
---
ipalib/plugins/baseldap.py | 38 ++++++++++++++++++++------------------
ipalib/plugins/config.py | 4 ++++
2 files changed, 24 insertions(+), 18 deletions(-)
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 259d02b..1cd181c 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -162,20 +162,6 @@ def get_attributes(attrs):
return attrlist
-def get_effective_rights(ldap, dn, attrs=None):
- if attrs is None:
- attrs = ['*', 'nsaccountlock', 'cospriority']
- rights = ldap.get_effective_rights(dn, attrs)
- rdict = {}
- if 'attributelevelrights' in rights[1]:
- rights = rights[1]['attributelevelrights']
- rights = rights[0].split(', ')
- for r in rights:
- (k,v) = r.split(':')
- rdict[k.strip().lower()] = v
-
- return rdict
-
def wait_for_memberof(keys, entry_start, completed, show_command, adding=True):
"""
When adding or removing reverse members we are faking an update to
@@ -240,6 +226,7 @@ class LDAPObject(Object):
search_attributes_config = None
default_attributes = []
hidden_attributes = ['objectclass', 'aci']
+ rights_attributes = ['*', 'nsaccountlock', 'cospriority']
# set rdn_attribute only if RDN attribute differs from primary key!
rdn_attribute = ''
uuid_attribute = ''
@@ -288,6 +275,19 @@ class LDAPObject(Object):
pass
return dn[len(self.primary_key.name) + 1:dn.find(',')]
+ def get_effective_rights(self, dn, attrs=None):
+ rdict = {}
+ if attrs is None:
+ attrs = self.rights_attributes
+ rights = self.backend.get_effective_rights(dn, attrs)
+ if 'attributelevelrights' in rights[1]:
+ rights = rights[1]['attributelevelrights']
+ rights = rights[0].split(', ')
+ for r in rights:
+ (k, v) = r.split(':')
+ rdict[k.strip().lower()] = v
+ return rdict
+
def get_ancestor_primary_keys(self):
if self.parent_object:
parent_obj = self.api.Object[self.parent_object]
@@ -674,8 +674,9 @@ class LDAPRetrieve(LDAPQuery):
except errors.NotFound:
self.obj.handle_not_found(*keys)
- if options.get('rights', False) and options.get('all', False):
- entry_attrs['attributelevelrights'] = get_effective_rights(ldap, dn)
+ if options.get('rights', False):
+ rights = self.obj.get_effective_rights(dn)
+ entry_attrs['attributelevelrights'] = rights
for callback in self.POST_CALLBACKS:
if hasattr(callback, 'im_self'):
@@ -830,8 +831,9 @@ class LDAPUpdate(LDAPQuery, crud.Update):
format=_('the entry was deleted while being modified')
)
- if options.get('rights', False) and options.get('all', False):
- entry_attrs['attributelevelrights'] = get_effective_rights(ldap, dn)
+ if options.get('rights', False):
+ rights = self.obj.get_effective_rights(dn)
+ entry_attrs['attributelevelrights'] = rights
for callback in self.POST_CALLBACKS:
if hasattr(callback, 'im_self'):
diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index cabfd76..7c9f458 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -81,6 +81,9 @@ class config(LDAPObject):
'ipasearchrecordslimit', 'ipausersearchfields', 'ipagroupsearchfields',
'ipamigrationenabled', 'ipacertificatesubjectbase',
]
+ rights_attributes = LDAPObject.rights_attributes + [
+ 'ipahomesrootdir', 'ipagroupsearchfields',
+ ]
label = _('Configuration')
@@ -200,3 +203,4 @@ class config_show(LDAPRetrieve):
"""
api.register(config_show)
+
--
1.7.1.1
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
