On 09/03/2012 06:00 PM, Petr Viktorin wrote: > On 09/03/2012 04:41 PM, John Dennis wrote: >> On 09/03/2012 07:53 AM, Petr Viktorin wrote: >>> On 08/26/2012 07:19 PM, John Dennis wrote: >>>> On 08/20/2012 01:37 PM, Petr Viktorin wrote: >>>>> (Sorry if you're getting this twice; I didn't send it to the list) >>>>> >>>>> On 08/16/2012 08:38 PM, John Dennis wrote: >>>>>> >>>>>> -- >>>>>> John Dennis <jden...@redhat.com> >>>>>> >>>>>> Looking to carve out IT costs? >>>>>> www.redhat.com/carveoutcosts/ >>>>>> >>>>>> freeipa-jdennis-0078-Ticket-2979-prevent-last-admin-from-being-disabled.patch >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >From c47109c63530e188db76986fdda48c76bf681d10 Mon Sep 17 00:00:00 >>>>>> 2001 >>>>>> From: John Dennis<jden...@redhat.com> >>>>>> Date: Thu, 16 Aug 2012 20:28:44 -0400 >>>>>> Subject: [PATCH 78] Ticket #2979 - prevent last admin from being >>>>>> disabled >>>>>> Content-Type: text/plain; charset="utf-8" >>>>>> Content-Transfer-Encoding: 8bit >>>>>> >>>>>> We prevent the last member of the admin group from being deleted. The >>>>>> same check needs to be performed when disabling a user. >>>>>> >>>>>> Moved the code in del_user to a common subroutine and call it from >>>>>> both user_del and user_disable. Note, unlike user_del user_disable >>>>>> does not have a 'pre' callback therefore the check function is called >>>>>> in user_disable's execute routine. >>>>> >>>>> This should also prevent disabling all admins if there's more than one: >>>>> >>>>> # ipa user-add admin2 --first=a --last=b >>>>> ------------------- >>>>> Added user "admin2" >>>>> ------------------- >>>>> ... >>>>> # ipa group-add-member admins --user=admin2 >>>>> ------------------------- >>>>> Number of members added 1 >>>>> ------------------------- >>>>> # ipa user-disable admin2 >>>>> ------------------------------ >>>>> Disabled user account "admin2" >>>>> ------------------------------ >>>>> # ipa user-disable admin >>>>> ------------------------------ >>>>> Disabled user account "admin" >>>>> ------------------------------ >>>>> # ipa ping >>>>> ipa: ERROR: Server is unwilling to perform: Account inactivated. >>>>> Contact >>>>> system administrator. >>>>> >>>>> Also with one enabled and one disabled admin, it shouldn't be possible >>>>> to delete the enabled one. >>>>> >>>>> >>>>> Please add some tests; you can extend the ones added in commit f8e7b51. >>>> >>>> Good catch with respect to disabled users, thank you. >>>> >>>> Reworked patch attached, see patch comments. >>>> >>>> >>>> >>>> >>> >>> Works well now, just the error message is incorrect: it mentions only >>> deleting, not disabling. >>> >>> $ ipa user-disable admin >>> ipa: ERROR: admin cannot be deleted because it is the last member of >>> group admins >> >> Updated the error message to say >> >> "... cannot be deleted or disabled because ..." >> >> > > ACK. > Please push John's patch 81 before this one; that way it applies cleanly. >
Pushed to master, ipa-3-0. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel