[Freeipa-devel] Fwd: [PATCH] 912 Display the value of memberOf ACIs in permission plugin.
Endi Sukma Dewata
edewata at redhat.com
Wed Jan 4 18:03:18 UTC 2012
On 1/3/2012 6:27 AM, Petr Vobornik wrote:
> On 12/07/2011 12:22 AM, Rob Crittenden wrote:
>> Resending as a [PATCH]
>>
> I've created UI portion patch (#2101). The show command seems working
> well, but the mod command is not returning the memberof attribute after
> execution. It is needed for Web UI (if we want to support modification
> of memberof attr there). Otherwise we would have to call show command
> after each mod.
>
> I'm blaming it on these lines in permission.py:340:
> for r in result:
> if not r.startswith('member'):
> entry_attrs[r] = result[r]
> return dn
Yes, that part should probably look something like:
for attr in self.obj.aci_attributes:
if attr in result:
entry_attrs[attr] = result[attr]
Also another thing, in _make_aci() in aci.py there are 2 exclusivity rules:
* type, filter, subtree and targetgroup are mutually exclusive
* filter and memberof are mutually exclusive
Based on these rules it's possible to have memberof and targetgroup in
the same permission, but not filter with targetgroup, which seems to be
inconsistent because memberof generates a subset of ACI's generated by
filter.
The filter generates an ACI with a generic 'targetfilter=<filter>', and
memberof seems to be a convenience method to generate an ACI with a more
specific 'targetfilter=(memberOf=<memberof>)'.
So the 2 rules should be combined because, like filter, memberof should
be mutually exclusive from the other targets too.
--
Endi S. Dewata
More information about the Freeipa-devel
mailing list