[Freeipa-devel] [PATCH] 005 Show error in serial association

Petr Vobornik pvoborni at redhat.com
Thu Aug 18 14:52:01 UTC 2011 

On 08/18/2011 10:28 AM, Petr Vobornik wrote:
> On 08/17/2011 05:38 PM, Petr Vobornik wrote:
>> Ticket #1628 - https://fedorahosted.org/freeipa/ticket/1628
>> Unreported insufficient access error
>>
>> This patch is dependant on
>> freeipa-pvoborni-0004-1-error-dialog-for-batch-command.patch.
>>
>> This may be only a checking if approach of this patch is good.
>>
>> I was not sure if this type of error message (result.failed property) is
>> more general or it only appears in adding members. So I put error
>> handling in serial_associator instead of command. If it would be put in
>> command and success will be transformed to error, it will change the
>> behaviour of executing commands - other commands after error won't be
>> executed. If the approach is good, it could be probably better to change
>> it a little and offer same logic for batch_associator.
>>
>> It should be working for adding users to groups, netgroups, roles and
>> assigning hbac rules (tested as non admin user).
>>
>>
>> Modified association test - data in success handler should not be
>> undefined.
>>
>>
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Modified to work with bulk association.
>
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

After implementation error notification in associations. I noticed one 
'bug?' :

After adding users to hbac rule, batch error notification is shown 
saying 'no modifications to be performed'.

Reproduce:
- create hbacrule named 'aa'
- add several users - in example 'admin' and 'ttest'

Request:
{"method":"batch","params":[[{"method":"hbacrule_mod","params":[["aa"],{"all":true,"rights":true,"usercategory":""}]},{"method":"hbacrule_add_user","params":[["aa"],{"user":"admin,ttest"}]}],{}]}

Response:
============================================================
{
     "error": null,
     "id": null,
     "result": {
         "count": 2,
         "results": [
             {
                 "error": "no modifications to be performed"
             },
             {
                 "completed": 2,
                 "error": null,
                 "failed": {
                     "memberuser": {
                         "group": [],
                         "user": []
                     }
                 },
                 "result": {
                     "cn": [
                         "aa"
                     ],
                     "dn": 
"ipauniqueid=cfb492f2-c8dc-11e0-9504-00163e06af05,cn=hbac,dc=vm-021,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com", 

                     "ipaenabledflag": [
                         "TRUE"
                     ],
                     "memberuser_group": [
                         "admins"
                     ],
                     "memberuser_user": [
                         "admin",
                         "ttest"
                     ]
                 }
             }
         ]
     }
}


============================================================

I think the problem is that the first command should be included only if 
something changed.

It isn't a bug in this patch, but with it it is a new annoyance (you 
have to click OK).

-- 
Petr Vobornik

More information about the Freeipa-devel mailing list