[Freeipa-devel] [PATCH 78] Ticket #2979 - prevent last admin from being disabled

Thu, 16 Aug 2012 17:39:44 -0700 


--
John Dennis <jden...@redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

>From c47109c63530e188db76986fdda48c76bf681d10 Mon Sep 17 00:00:00 2001
From: John Dennis <jden...@redhat.com>
Date: Thu, 16 Aug 2012 20:28:44 -0400
Subject: [PATCH 78] Ticket #2979 - prevent last admin from being disabled
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

We prevent the last member of the admin group from being deleted. The
same check needs to be performed when disabling a user.

Moved the code in del_user to a common subroutine and call it from
both user_del and user_disable. Note, unlike user_del user_disable
does not have a 'pre' callback therefore the check function is called
in user_disable's execute routine.
---
 ipalib/plugins/user.py | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 529699f..3cc667b 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -166,6 +166,17 @@ def normalize_principal(principal):
     return unicode('%s@%s' % (user, realm))
 
 
+def check_protected_member(user, protected_group_name=u'admins'):
+    '''
+    Ensure the last member of a protected group cannot be deleted or
+    disabled by raising LastMemberError.
+    '''
+
+    result = api.Command.group_show(protected_group_name)
+    if result['result'].get('member_user', []) == [user]:
+        raise errors.LastMemberError(key=user, label=_(u'group'),
+            container=protected_group_name)
+
 class user(LDAPObject):
     """
     User object.
@@ -550,11 +561,7 @@ class user_del(LDAPDelete):
 
     def pre_callback(self, ldap, dn, *keys, **options):
         assert isinstance(dn, DN)
-        protected_group_name = u'admins'
-        result = api.Command.group_show(protected_group_name)
-        if result['result'].get('member_user', []) == [keys[-1]]:
-            raise errors.LastMemberError(key=keys[-1], label=_(u'group'),
-                container=protected_group_name)
+        check_protected_member(keys[-1])
         return dn
 
 api.register(user_del)
@@ -679,8 +686,9 @@ class user_disable(LDAPQuery):
     def execute(self, *keys, **options):
         ldap = self.obj.backend
 
-        dn = self.obj.get_dn(*keys, **options)
+        check_protected_member(keys[-1])
 
+        dn = self.obj.get_dn(*keys, **options)
         ldap.deactivate_entry(dn)
 
         return dict(
-- 
1.7.11.2


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to