[Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0072-rights-check.patch
Rob Crittenden
rcritten at redhat.com
Thu Nov 4 15:07:44 UTC 2010
Adam Young wrote:
> On 11/03/2010 12:55 PM, Endi Sukma Dewata wrote:
>> On 11/3/2010 8:53 AM, Adam Young wrote:
>>>> Still NACK. I have tested this again. It looks like the UI does not
>>>> send the --rights parameter which is required to get the
>>>> attributelevelrights. With this patch even the admin can't edit
>>>> anything.
>>>
>>> Ah...that was because I did it as two commits, and only made a patch out
>>> of one.
>>
>> Still too many disabled inputs. If you login as admin and open admin's
>> details page, the only editable fields are last name and full name.
>> (State is also editable but I suspect it's because this field doesn't
>> support rights yet.) According to attributelevelrights I should be able
>> to edit a number of attributes including uidNumber, gidNumber,
>> telephoneNumber, but that's not the case. Do you see a different
>> behavior when you test it? Am I missing some other patches? Btw, in
>> your patch I think rights should be set to 'true' instead of 1.
>>
>> "attributelevelrights": {
>> "aci": "rscwo",
>> "cn": "rscwo",
>> "description": "rscwo",
>> "gecos": "rscwo",
>> "gidNumber": "rscwo",
>> "homeDirectory": "rscwo",
>> "inetUserHttpURL": "rscwo",
>> "inetUserStatus": "rscwo",
>> "ipaUniqueID": "rsc",
>> "krbCanonicalName": "rscwo",
>> "krbExtraData": "rscwo",
>> "krbLastFailedAuth": "rscwo",
>> "krbLastPwdChange": "rscwo",
>> "krbLastSuccessfulAuth": "rscwo",
>> "krbLoginFailedCount": "rscwo",
>> "krbMaxRenewableAge": "rscwo",
>> "krbMaxTicketLife": "rscwo",
>> "krbPasswordExpiration": "rscwo",
>> "krbPrincipalAliases": "rscwo",
>> "krbPrincipalExpiration": "rscwo",
>> "krbPrincipalKey": "wo",
>> "krbPrincipalName": "rscwo",
>> "krbPrincipalType": "rscwo",
>> "krbPwdHistory": "rscwo",
>> "krbPwdPolicyReference": "rscwo",
>> "krbTicketFlags": "rscwo",
>> "krbTicketPolicyReference": "rscwo",
>> "krbUPEnabled": "rscwo",
>> "loginShell": "rscwo",
>> "memberOf": "rsc",
>> "mepManagedEntry": "rscwo",
>> "nsAccountLock": "rscwo",
>> "objectClass": "rscwo",
>> "seeAlso": "rscwo",
>> "sn": "rscwo",
>> "telephoneNumber": "rscwo",
>> "uid": "rscwo",
>> "uidNumber": "rscwo",
>> "userPassword": "wo"
>> },
>>
> Now defaulting to rscwo, which means that some fields will show up
> editable even if the user can't change them, due to effectiverights not
> being returned on all fields.
The problem is that the effective rights is not returned properly, the
account in question (admin) doesn't have those attributes at all. I
don't think this is an appropriate fix.
rob
More information about the Freeipa-devel
mailing list