Rob Crittenden wrote:
Martin Kosek wrote:
On Tue, 2011-02-01 at 09:07 -0500, Rob Crittenden wrote:
Martin Kosek wrote:
2) In delegation.ldif: ipapermission object class is missing for
removeentitlements and modifyentitlements (it has been added for
addentitlements though)
This was on purpose, I should have been clearer. Patch 664 makes major
changes to these and I'm trying to make the merge easier. I'll fix them
up when 664 gets pushed.
I thought so. I was confused by addentitlements permission which
objectclass was updated. We just have to make sure, that the
entitlements patch includes this new objectClass.
QUESTION:
In this patch you add READONLY flag to Replica permissions. However it
is not actually used and stays as just an informative flag. It won't
prevent user from modifying/removing READONLY permissions.
I guess enhancing permission-mod and permission-del of READONLY check
will be a subject of another ticket?
Ok, interesting point. I considered the aci itself to be read-only. The
only thing a user could do is rename the permission, right? I think that
would maintain consistency so it shouldn't be a problem. It would
probably be easy to really make these read-only but that would have a UI
impact as well, perhaps a problematic one. I suppose if they could
handle any read-only exceptions we'd raise that would be adequate.
rob
Yes, user could rename or delete permission. In both cases it won't have
any effect to the ACI as ACI plugin does not see it. But I think it
would be nice to prevent modifications to these permissions when we have
this new and shiny READONLY flag. Read-only exception may be a way to
achieve this...
Martin
I think I got everything. Simo suggested using SYSTEM instead of
READONLY so I switched to that. I also renamed the attribute to
ipapermissiontype and added enforcement over mod/del.
rob
Martin found a few more problems, here is another patch.
rob
>From dbdfbc11aa1425005eb41a7d608f784364d9077d Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Tue, 1 Feb 2011 11:57:18 -0500
Subject: [PATCH] Add new schema to store information about permissions.
There are some permissions we can't display because they are stored
outside of the basedn (such as the replication permissions). We
are adding a new attribute to store extra information to make this
clear, in this case SYSTEM.
ticket 853
---
install/share/60basev2.ldif | 2 +
install/share/delegation.ldif | 49 ++++++++++++++++++++++++++++++++++++
ipalib/plugins/permission.py | 30 ++++++++++++++++++++-
tests/test_xmlrpc/objectclasses.py | 1 +
4 files changed, 80 insertions(+), 2 deletions(-)
diff --git a/install/share/60basev2.ldif b/install/share/60basev2.ldif
index 7eb346b..f5f7a65 100644
--- a/install/share/60basev2.ldif
+++ b/install/share/60basev2.ldif
@@ -13,6 +13,7 @@ attributeTypes: (2.16.840.1.113730.3.8.3.4 NAME 'fqdn' DESC 'FQDN' EQUALITY case
attributeTypes: (2.16.840.1.113730.3.8.3.18 NAME 'managedBy' DESC 'DNs of entries allowed to manage' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2')
objectClasses: (2.16.840.1.113730.3.8.4.1 NAME 'ipaHost' AUXILIARY MUST ( fqdn ) MAY ( userPassword $ ipaClientVersion $ enrolledBy $ memberOf) X-ORIGIN 'IPA v2' )
objectClasses: (2.16.840.1.113730.3.8.4.12 NAME 'ipaObject' DESC 'IPA objectclass' AUXILIARY MUST ( ipaUniqueId ) X-ORIGIN 'IPA v2' )
+objectClasses: (2.16.840.1.113730.3.8.4.15 NAME 'ipaPermission' DESC 'IPA Permission objectclass' AUXILIARY MAY ( ipaPermissionType ) X-ORIGIN 'IPA v2' )
objectClasses: (2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY MAY ( memberOf $ managedBy ) X-ORIGIN 'IPA v2' )
objectClasses: (2.16.840.1.113730.3.8.4.3 NAME 'nestedGroup' DESC 'Group that supports nesting' SUP groupOfNames STRUCTURAL MAY memberOf X-ORIGIN 'IPA v2' )
objectClasses: (2.16.840.1.113730.3.8.4.4 NAME 'ipaUserGroup' DESC 'IPA user group object class' SUP nestedGroup STRUCTURAL X-ORIGIN 'IPA v2' )
@@ -23,6 +24,7 @@ attributeTypes: (2.16.840.1.113730.3.8.3.7 NAME 'memberHost' DESC 'Reference to
attributeTypes: (2.16.840.1.113730.3.8.3.8 NAME 'hostCategory' DESC 'Additional classification for hosts' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
attributeTypes: (2.16.840.1.113730.3.8.3.19 NAME 'serviceCategory' DESC 'Additional classification for services' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
attributeTypes: (2.16.840.1.113730.3.8.3.20 NAME 'memberService' DESC 'Reference to the pam service of this operation.' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' )
+attributeTypes: (2.16.840.1.113730.3.8.3.25 NAME 'ipaPermissionType' DESC 'IPA permission flags' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
attributeTypes: (2.16.840.1.113730.3.8.3.9 NAME 'ipaEnabledFlag' DESC 'The flag to show if the association is active or should be ignored' EQUALITY booleanMatch ORDERING booleanMatch SUBSTR booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v2' )
objectClasses: (2.16.840.1.113730.3.8.4.6 NAME 'ipaAssociation' ABSTRACT MUST ( ipaUniqueID $ cn ) MAY ( memberUser $ userCategory $ memberHost $ hostCategory $ ipaEnabledFlag $ description ) X-ORIGIN 'IPA v2' )
attributeTypes: (2.16.840.1.113730.3.8.3.10 NAME 'sourceHost' DESC 'Link to a host or group of hosts' SUP memberHost SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' )
diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
index e154f6b..18d045d 100644
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@@ -147,6 +147,7 @@ dn: cn=Add Users,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Add Users
member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -154,6 +155,7 @@ dn: cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Change a user password
member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -161,6 +163,7 @@ dn: cn=Add user to default group,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Add user to default group
member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -168,6 +171,7 @@ dn: cn=Unlock user accounts,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectclass: top
objectclass: groupofnames
+objectClass: ipapermission
cn: Unlock user accounts
member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
member: cn=admins,cn=groups,cn=accounts,$SUFFIX
@@ -176,6 +180,7 @@ dn: cn=Remove Users,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Remove Users
member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -183,6 +188,7 @@ dn: cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Modify Users
member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -192,6 +198,7 @@ dn: cn=Add Groups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Add Groups
member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -199,6 +206,7 @@ dn: cn=Remove Groups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Remove Groups
member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -206,6 +214,7 @@ dn: cn=Modify Groups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Modify Groups
member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -213,6 +222,7 @@ dn: cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Modify Group membership
member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -222,6 +232,7 @@ dn: cn=Add Hosts,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Add Hosts
member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -229,6 +240,7 @@ dn: cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Remove Hosts
member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -236,6 +248,7 @@ dn: cn=Modify Hosts,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Modify Hosts
member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -245,6 +258,7 @@ dn: cn=Add Hostgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Add Hostgroups
member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -252,6 +266,7 @@ dn: cn=Remove Hostgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Remove Hostgroups
member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -259,6 +274,7 @@ dn: cn=Modify Hostgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Modify Hostgroups
member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -266,6 +282,7 @@ dn: cn=Modify Hostgroup membership,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Modify Hostgroup membership
member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -275,6 +292,7 @@ dn: cn=Add Services,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Add Services
member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -282,6 +300,7 @@ dn: cn=Remove Services,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Remove Services
member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -289,6 +308,7 @@ dn: cn=Modify Services,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Modify Services
member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -298,6 +318,7 @@ dn: cn=Add Roles,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Add Roles
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
@@ -305,6 +326,7 @@ dn: cn=Remove Roles,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Remove Roles
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
@@ -312,6 +334,7 @@ dn: cn=Modify Roles,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Modify Roles
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
@@ -319,6 +342,7 @@ dn: cn=Modify Role membership,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Modify Role membership
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
@@ -326,6 +350,7 @@ dn: cn=Modify privilege membership,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Modify privilege membership
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
@@ -335,6 +360,7 @@ dn: cn=Add Automount maps,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Add Automount maps
member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -342,6 +368,7 @@ dn: cn=Remove Automount maps,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Remove Automount maps
member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -349,6 +376,7 @@ dn: cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Add Automount keys
member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -356,6 +384,7 @@ dn: cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Remove Automount keys
member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -365,6 +394,7 @@ dn: cn=Add netgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Add netgroups
member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -372,6 +402,7 @@ dn: cn=Remove netgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Remove netgroups
member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -379,6 +410,7 @@ dn: cn=Modify netgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Modify netgroups
member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -386,6 +418,7 @@ dn: cn=Modify netgroup membership,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Modify netgroup membership
member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -395,6 +428,7 @@ dn: cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Manage host keytab
member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
member: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
@@ -403,6 +437,7 @@ dn: cn=Manage service keytab,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Manage service keytab
member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
member: cn=admins,cn=groups,cn=accounts,$SUFFIX
@@ -415,6 +450,7 @@ dn: cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Enroll a host
member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
member: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
@@ -425,21 +461,27 @@ dn: cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Add Replication Agreements
+ipapermissiontype: SYSTEM
member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Modify Replication Agreements
+ipapermissiontype: SYSTEM
member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Remove Replication Agreements
+ipapermissiontype: SYSTEM
member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
# Entitlement management
@@ -448,6 +490,7 @@ dn: cn=addentitlements,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: addentitlements
description: Add Entitlements
member: cn=entitlementadmin,cn=privileges,cn=pbac,$SUFFIX
@@ -619,6 +662,7 @@ dn: cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Retrieve Certificates from the CA
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -638,6 +682,7 @@ dn: cn=Request Certificate,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Request Certificate
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -657,6 +702,7 @@ dn: cn=Request Certificates from a different host,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Request Certificates from a different host
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -676,6 +722,7 @@ dn: cn=Get Certificates status from the CA,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Get Certificates status from the CA
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -695,6 +742,7 @@ dn: cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Revoke Certificate
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -714,6 +762,7 @@ dn: cn=Certificate Remove Hold,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: ipapermission
cn: Certificate Remove Hold
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index b11efda..61aba52 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -73,9 +73,16 @@ from ipalib.plugins.baseldap import *
from ipalib import api, _, ngettext
from ipalib import Flag, Str, StrEnum
from ipalib.request import context
+from ipalib import errors
ACI_PREFIX=u"permission"
+output_params = (
+ Str('ipapermissiontype',
+ label=_('Permission Type'),
+ ),
+)
+
class permission(LDAPObject):
"""
Permission object.
@@ -83,9 +90,9 @@ class permission(LDAPObject):
container_dn = api.env.container_permission
object_name = 'permission'
object_name_plural = 'permissions'
- object_class = ['groupofnames']
+ object_class = ['groupofnames', 'ipapermission']
default_attributes = ['cn', 'member', 'memberof',
- 'memberindirect',
+ 'memberindirect', 'ipapermissiontype',
]
aci_attributes = ['group', 'permissions', 'attrs', 'type',
'filter', 'subtree', 'targetgroup',
@@ -150,6 +157,17 @@ class permission(LDAPObject):
),
)
+ # Don't allow SYSTEM permissions to be modified or removed
+ def check_system(self, ldap, dn, *keys):
+ try:
+ (dn, entry_attrs) = ldap.get_entry(dn, ['ipapermissiontype'])
+ except errors.NotFound:
+ self.handle_not_found(*keys)
+ if 'ipapermissiontype' in entry_attrs:
+ if 'SYSTEM' in entry_attrs['ipapermissiontype']:
+ return False
+ return True
+
api.register(permission)
@@ -220,6 +238,8 @@ class permission_del(LDAPDelete):
msg_summary = _('Deleted permission "%(value)s"')
def pre_callback(self, ldap, dn, *keys, **options):
+ if not self.obj.check_system(ldap, dn, *keys):
+ raise errors.ACIError(info='A SYSTEM permission may not be removed')
# remove permission even when the underlying ACI is missing
try:
self.api.Command.aci_del(keys[-1], aciprefix=ACI_PREFIX)
@@ -236,8 +256,12 @@ class permission_mod(LDAPUpdate):
"""
msg_summary = _('Modified permission "%(value)s"')
+ has_output_params = LDAPUpdate.has_output_params + output_params
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+ if not self.obj.check_system(ldap, dn, *keys):
+ raise errors.ACIError(info='A SYSTEM permission may not be modified')
+
# check if permission is in LDAP
try:
(dn, attrs) = ldap.get_entry(
@@ -330,6 +354,7 @@ class permission_find(LDAPSearch):
msg_summary = ngettext(
'%(count)d permission matched', '%(count)d permissions matched'
)
+ has_output_params = LDAPSearch.has_output_params + output_params
def post_callback(self, ldap, entries, truncated, *args, **options):
for entry in entries:
@@ -378,6 +403,7 @@ class permission_show(LDAPRetrieve):
"""
Display information about a permission.
"""
+ has_output_params = LDAPRetrieve.has_output_params + output_params
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
try:
aci = self.api.Command.aci_show(keys[-1], aciprefix=ACI_PREFIX)['result']
diff --git a/tests/test_xmlrpc/objectclasses.py b/tests/test_xmlrpc/objectclasses.py
index 20b008c..0d03b47 100644
--- a/tests/test_xmlrpc/objectclasses.py
+++ b/tests/test_xmlrpc/objectclasses.py
@@ -68,6 +68,7 @@ role = [
permission = [
u'groupofnames',
+ u'ipapermission',
u'top'
]
--
1.7.3.4
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
