[Freeipa-devel] Fwd: [PATCH] 912 Display the value of memberOf ACIs in permission plugin.

[Rob Crittenden]

Endi Sukma Dewata wrote:
> On 1/3/2012 6:27 AM, Petr Vobornik wrote:
>> On 12/07/2011 12:22 AM, Rob Crittenden wrote:
>>> Resending as a [PATCH]
>>>
>> I've created UI portion patch (#2101). The show command seems working
>> well, but the mod command is not returning the memberof attribute after
>> execution. It is needed for Web UI (if we want to support modification
>> of memberof attr there). Otherwise we would have to call show command
>> after each mod.
>>
>> I'm blaming it on these lines in permission.py:340:
>> for r in result:
>> if not r.startswith('member'):
>> entry_attrs[r] = result[r]
>> return dn
>
> Yes, that part should probably look something like:
>
> for attr in self.obj.aci_attributes:
> if attr in result:
> entry_attrs[attr] = result[attr]

I'm not sure why that was there unless it is to exclude members of the 
permission (remember, we show things in reverse).

> Also another thing, in _make_aci() in aci.py there are 2 exclusivity rules:
> * type, filter, subtree and targetgroup are mutually exclusive
> * filter and memberof are mutually exclusive
>
> Based on these rules it's possible to have memberof and targetgroup in
> the same permission, but not filter with targetgroup, which seems to be
> inconsistent because memberof generates a subset of ACI's generated by
> filter.
>
> The filter generates an ACI with a generic 'targetfilter=<filter>', and
> memberof seems to be a convenience method to generate an ACI with a more
> specific 'targetfilter=(memberOf=<memberof>)'.
>
> So the 2 rules should be combined because, like filter, memberof should
> be mutually exclusive from the other targets too.
>

This is specifically allowed because it lets you restrict the members of 
the memberof group to modify only the values of the targetgroup (e.g. 
group membership). If anything I'd relax it so filter and targetgroup 
aren't mutually exclusive. I'm not sure of the use case for this though.

rob