[Freeipa-devel] [PATCH] 552-557 Permissions v2 Web UI

Petr Viktorin pviktori at redhat.com
Tue Mar 18 14:07:35 UTC 2014 

On 03/18/2014 01:09 PM, Petr Vobornik wrote:
> New revision for patch patch #557 attached.
>
> On 17.3.2014 15:22, Petr Viktorin wrote:
>> On 03/14/2014 06:47 PM, Petr Vobornik wrote:
>>> Main ACI UI changes are in patch #557. The rest are prerequisites.
>>
>> With this UI it is impossible to change from "Type-based" permissions to
>> "General" ones. This seems to be remaining from the old model where
>> permissions were type/filter/subtree/targetgroup were "classes" of a
>> permission rather than co-existing as attributes.
>>
>> Rather the Target section should IMO look the same for all (non-managed)
>> permissions, with the first items being:
>>      Type:    [drop-down with a None option]
>>      Subtree: [textbox that is disabled when a Type is selected]
>>
>> The Subtree should be a one-line textbox. It would be acceptable if the
>> whole DN doesn't always fit, it's the first part that's important.
>>
>> Remember to only send Subtree if Type is (staying as | being set to)
>> None.
>>
>> Also, the Add dialog should use this instead of the "Define by".
>
> Done
>
>>
>>
>>
>> With managed permissions, if I try to change both included/excluded
>> attribute list and the effective attributes, I get a validation error,
>> which is good in CLI but it doesn't work well for the UI.
>>
>> I think it would be better to move "Managed permission overrides" below
>> "Target", and make it read-only. And perhaps rename it to something like
>> "Attribute breakdown".
>> Managing the included/excluded lists directly is only useful for
>> upgrades with a heavily customized policy, and for upgrades you need the
>> CLI anyway. Normally, having only the attribute list editable should be
>> fine.
>
> Done
>
>>
>>
>>
>> For SYSTEM permissions (those which only have the SYSTEM flag), such as
>> 'Add Automember Rebuild Membership Task', Permissions should not be
>> editable.
>> For old-style permissions (those without any flags), nothing is editable
>> but everything should be. The attributelevelrights are missing because
>> the entry doesn't have the ipaPermissionV2 objectclass yet (although
>> it's being reported, which is "my" bug -- #4257).
>
> Fields were set to be editable if attributes level rights are missing.

That solves things for normal legacy permissions, but not for the SYSTEM 
ones - those should be completely read-only.

Also, changing the Permisisons checkboxes on these permissions doesn't 
mark them dirty.

Otherwise the patches work great!

-- 
Petr³

More information about the Freeipa-devel mailing list