On Tue, 25 Aug 2015, Petr Vobornik wrote:
On 08/25/2015 07:37 AM, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Fraser Tweedale wrote:
The attached patch fixes
https://fedorahosted.org/freeipa/ticket/5247.
Thanks,
Fraser
From 2cb4ab6eeedccc3471ed9bf983add4687ecd5c1a Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Mon, 24 Aug 2015 20:25:10 -0400
Subject: [PATCH] certprofile: prevent rename (modrdn)
Fixes: https://fedorahosted.org/freeipa/ticket/5247
---
ipalib/plugins/certprofile.py | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/ipalib/plugins/certprofile.py
b/ipalib/plugins/certprofile.py
index
007cc543406b7e5705fd7474f3685cd6a9ce6aca..a0ffa38608400860994c771e4eba81304ead27be
100644
--- a/ipalib/plugins/certprofile.py
+++ b/ipalib/plugins/certprofile.py
@@ -323,8 +323,9 @@ class certprofile_mod(LDAPUpdate):
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
**options):
ca_enabled_check()
# Once a profile id is set it cannot be changed
- if 'cn' in entry_attrs:
- raise errors.ACIError(info=_('cn is immutable'))
+ if 'rename' in options or 'cn' in entry_attrs:
+ raise errors.ProtectedEntryError(label='certprofile',
key=keys[0],
+ reason=_('Certificate profiles cannot be renamed'))
if 'file' in options:
with self.api.Backend.ra_certprofile as profile_api:
profile_api.disable_profile(keys[0])
ACK
can't we fix it by removing `rdn_is_primary_key = True`?
That would also remove the --rename option. Yes it's an API change but
if rename is forbidden than the option should not be even there, just
the result error will different.
Well, that is another option, yes. Perhaps even a better one -- we have
plenty of places where rdn_is_primary_key is not actually used.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
