[Freeipa-devel] [PATCH] webui: 696 support wildcard attribute level rights

[Petr Vobornik]

Reproduction:
* add 'extensibleObject' object class to target object

https://fedorahosted.org/freeipa/ticket/4380
--
Petr Vobornik

From 908d39fdff8d91b5535e72e05410a7959f511613 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvobo...@redhat.com>
Date: Thu, 19 Jun 2014 17:09:38 +0200
Subject: [PATCH] webui: support wildcard attribute level rights

Reproduction:
* add 'extensibleObject' object class to target object

https://fedorahosted.org/freeipa/ticket/4380
---
 install/ui/src/freeipa/field.js | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/install/ui/src/freeipa/field.js b/install/ui/src/freeipa/field.js
index c2e96b392bdba057828c3d5d465e7e17a52ee535..2f8137fa4a6ba7f63c937463897c313a9b73e3af 100644
--- a/install/ui/src/freeipa/field.js
+++ b/install/ui/src/freeipa/field.js
@@ -450,6 +450,12 @@ field.field = IPA.field = function(spec) {
 
         var writable = true;
 
+        function has_write(record, param) {
+            var rights = record.attributelevelrights[param];
+            var has = rights && rights.indexOf('w') > -1;
+            return has;
+        }
+
         if (that.metadata) {
             if (that.metadata.primary_key) {
                 writable = false;
@@ -460,10 +466,13 @@ field.field = IPA.field = function(spec) {
             }
         }
 
-        if (record && record.attributelevelrights) {
+        if (record && record.attributelevelrights && writable) {
             var rights = record.attributelevelrights[that.acl_param];
-            var oc_rights= record.attributelevelrights['objectclass'];
-            var write_oc = oc_rights && oc_rights.indexOf('w') > -1;
+            var write_attr = has_write(record, that.acl_param);
+            var write_all = has_write(record, '*');
+            var write_oc = has_write(record, 'objectclass');
+            var can_write = write_attr || write_all;
+
 
             // Some objects in LDAP may not have set proper object class and
             // therefore server doesn't send proper attribute rights. Flag
@@ -471,8 +480,8 @@ field.field = IPA.field = function(spec) {
             // shows edit interface in such cases. Usable only when user can
             // modify object classes.
             // For all others, lack of rights means no write.
-            if ((!rights && !(that.flags.indexOf('w_if_no_aci') > -1 && write_oc)) ||
-                 (rights && rights.indexOf('w') < 0)) {
+            if (!can_write && !rights && !(that.flags.indexOf('w_if_no_aci') > -1 &&
+                write_oc)) {
                 writable = false;
             }
         }
-- 
1.9.3


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel