[Freeipa-devel] [PATCH] 0147: ipaserver/rpcserver: catch ACIError and return proper message for out-of-realm users
Alexander Bokovoy
abokovoy at redhat.com
Thu Mar 6 10:03:23 UTC 2014
Hi,
we had similar issue in past, in jsonserver_session() class, fixed by
0292ebd1 which Tomas did for ticket https://fedorahosted.org/freeipa/ticket/3252
This one is for non-sessioned call:
https://fedorahosted.org/freeipa/ticket/4225
--
/ Alexander Bokovoy
-------------- next part --------------
>From bfd3ed72429f63cdf9bb1955ad8ee04c75e42014 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Thu, 6 Mar 2014 11:59:05 +0200
Subject: [PATCH 2/2] ipaserver/rpcserver: catch ACIError and return proper
message for out-of-realm users
https://fedorahosted.org/freeipa/ticket/4225
---
ipaserver/rpcserver.py | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index eb9b073..4e5db68 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -864,7 +864,11 @@ class jsonserver_kerb(jsonserver):
self.internal_error(environ, start_response,
'jsonserver_kerb.__call__: KRB5CCNAME not defined in HTTP request environment')
return self.marshal(None, CCacheError())
- self.create_context(ccache=user_ccache)
+ # This may fail if a ticket from wrong realm was handled via browser
+ try:
+ self.create_context(ccache=user_ccache)
+ except ACIError, e:
+ return self.unauthorized(environ, start_response, str(e), 'denied')
try:
response = super(jsonserver_kerb, self).__call__(environ, start_response)
--
1.8.3.1
More information about the Freeipa-devel
mailing list