[Freeipa-devel] [PATCH] 199 Permissions: select only applicable options on type change

[Endi Sukma Dewata]

Found a couple of issues with Undo:

1. Using the scenario described in the ticket, if I undo the Type back 
to User Group the Attributes aren't updated, it still shows the Service 
attributes.

2. After that, if I undo the Attributes it will show the originally 
selected attribute (description) but the attribute will appear at the 
end of Service attributes (not User Group attributes) and the attributes 
are not sorted.

I also have some comments below.

On 8/22/2012 7:17 AM, Petr Vobornik wrote:
> Problem:
>   When a permission is edited, and Type switched, the attributes
> selected for previous Type are still selected, and update fails, if they
> are invalid for the new Type. But it should get deselected or not even
> listed if Type changes.
>
> Fix:
>   When Type is changed, attribute list is refreshed and still applicable
> attributes are chosen. If Type is reverted back, previously chosen
> attributes are back as chosen.
>
>   If attributes are extended outside Web UI by not listed attr, this
> attr is listed at the list end.

To my understanding the list of ACI attributes are obtained from the 
LDAP schema, so if a new attribute is added to the object class the UI 
will know about it and show it in the attribute list. However, if the 
attribute is added using the extensibleObject the UI may not know about 
it because there's no schema change, is this what you meant? In that 
case the UI won't show a checkbox for the attribute, so we'd probably 
have to use the Filter or Subtree permission target that accepts 
arbitrary attributes.

Ideally the server should support a generic LDAP ACI target which would 
accept any combination of LDAP filter, subtree, and attributes, but that 
probably depends on the actual needs.

> Note:
>   If user makes change in attribute list before type change, this change
> is forgotten.
>
> https://fedorahosted.org/freeipa/ticket/2617

-- 
Endi S. Dewata