Raise an error when trying to delete the last user from the 'admins' group
The 'admin' group name seems like something that shouldn't be hardcoded, but that's how it's done in the webui and some of our ACIs, and I don't see another solution short of adding a new attribute.
https://fedorahosted.org/freeipa/ticket/2564 -- PetrĀ³
From 8ae8bf5b0c05caa828eb342c0c24a16be38adae8 Mon Sep 17 00:00:00 2001 From: Petr Viktorin <pvikt...@redhat.com> Date: Wed, 23 May 2012 05:44:53 -0400 Subject: [PATCH] Prevent deletion of the last admin Raise an error when trying to delete the last user from the 'admins' group https://fedorahosted.org/freeipa/ticket/2564 --- ipalib/errors.py | 16 +++++++++++++ ipalib/plugins/user.py | 9 ++++++-- tests/test_xmlrpc/test_user_plugin.py | 41 +++++++++++++++++++++++++++++++++ 3 files changed, 64 insertions(+), 2 deletions(-) diff --git a/ipalib/errors.py b/ipalib/errors.py index df4ab4167cb5eee1ab940518746bf5c4109a009f..7c7ab575c2a510889adb3a0893c905e40e1f6d8b 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -1575,6 +1575,22 @@ class DependentEntry(ExecutionError): format = _('%(key)s cannot be deleted because %(label)s %(dependent)s requires it') +class LastMemberError(ExecutionError): + """ + **4308** Raised when an entry being deleted is last member of an admins group + + For example: + >>> raise LastMemberError(key=u'admin', label=u'group', container=u'admins') + Traceback (most recent call last): + ... + LastMemberError: admin cannot be deleted because it is the last member of group admins + + """ + + errno = 4308 + format = _('%(key)s cannot be deleted because it is the last member of %(label)s %(container)s') + + ############################################################################## # 5000 - 5999: Generic errors diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index b48e68022c88f5b5f777c8d10e0775d566fd9480..7e98bba4c48436588ff3baffad538a426b9f5edb 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -544,8 +544,13 @@ class user_del(LDAPDelete): msg_summary = _('Deleted user "%(value)s"') - def post_callback(self, ldap, dn, *keys, **options): - return True + def pre_callback(self, ldap, dn, *keys, **options): + protected_group_name = u'admins' + result = api.Command.group_show(protected_group_name) + if result['result'].get('member_user', []) == [keys[-1]]: + raise errors.LastMemberError(key=keys[-1], label=_(u'group'), + container=protected_group_name) + return dn api.register(user_del) diff --git a/tests/test_xmlrpc/test_user_plugin.py b/tests/test_xmlrpc/test_user_plugin.py index 4b2be5c325ab8d5a73a62f9c979ca5f40f3498bb..355a4cbbbbd1a758885c50b8f2450444cff23fd6 100644 --- a/tests/test_xmlrpc/test_user_plugin.py +++ b/tests/test_xmlrpc/test_user_plugin.py @@ -1330,4 +1330,45 @@ class test_user(Declarative): ), expected=lambda x: True, ), + + dict( + desc='Try to remove the admin user', + command=('user_del', [u'admin'], {}), + expected=errors.LastMemberError(key=u'admin', label=u'group', + container='admins'), + ), + + dict( + desc='Add %r to the admins group' % user2, + command=('group_add_member', [u'admins'], dict(user=user2)), + expected=dict( + completed=1, + failed=dict( + member=dict( + group=tuple(), + user=tuple(), + ), + ), + result={ + 'dn': lambda x: DN(x) == \ + DN(('cn', 'admins'), ('cn', 'groups'), + ('cn', 'accounts'), api.env.basedn), + 'member_user': [u'admin', user2], + 'gidnumber': [fuzzy_digits], + 'cn': [u'admins'], + 'description': [u'Account administrators group'], + }, + ), + ), + + dict( + desc='Delete %r' % user2, + command=('user_del', [user2], {}), + expected=dict( + result=dict(failed=u''), + summary=u'Deleted user "%s"' % user2, + value=user2, + ), + ), + ] -- 1.7.10.2
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
