[Freeipa-devel] [PATCH 78] Ticket #2979 - prevent last admin from being disabled

John Dennis jdennis at redhat.com
Mon Sep 3 14:41:16 UTC 2012 

On 09/03/2012 07:53 AM, Petr Viktorin wrote:
> On 08/26/2012 07:19 PM, John Dennis wrote:
>> On 08/20/2012 01:37 PM, Petr Viktorin wrote:
>>> (Sorry if you're getting this twice; I didn't send it to the list)
>>>
>>> On 08/16/2012 08:38 PM, John Dennis wrote:
>>>>
>>>> --
>>>> John Dennis <jdennis at redhat.com>
>>>>
>>>> Looking to carve out IT costs?
>>>> www.redhat.com/carveoutcosts/
>>>>
>>>> freeipa-jdennis-0078-Ticket-2979-prevent-last-admin-from-being-disabled.patch
>>>>
>>>>
>>>>
>>>> >From c47109c63530e188db76986fdda48c76bf681d10 Mon Sep 17 00:00:00 2001
>>>> From: John Dennis<jdennis at redhat.com>
>>>> Date: Thu, 16 Aug 2012 20:28:44 -0400
>>>> Subject: [PATCH 78] Ticket #2979 - prevent last admin from being
>>>> disabled
>>>> Content-Type: text/plain; charset="utf-8"
>>>> Content-Transfer-Encoding: 8bit
>>>>
>>>> We prevent the last member of the admin group from being deleted. The
>>>> same check needs to be performed when disabling a user.
>>>>
>>>> Moved the code in del_user to a common subroutine and call it from
>>>> both user_del and user_disable. Note, unlike user_del user_disable
>>>> does not have a 'pre' callback therefore the check function is called
>>>> in user_disable's execute routine.
>>>
>>> This should also prevent disabling all admins if there's more than one:
>>>
>>> # ipa user-add admin2 --first=a --last=b
>>> -------------------
>>> Added user "admin2"
>>> -------------------
>>> ...
>>> # ipa group-add-member admins --user=admin2
>>> -------------------------
>>> Number of members added 1
>>> -------------------------
>>> # ipa user-disable admin2
>>> ------------------------------
>>> Disabled user account "admin2"
>>> ------------------------------
>>> # ipa user-disable admin
>>> ------------------------------
>>> Disabled user account "admin"
>>> ------------------------------
>>> # ipa ping
>>> ipa: ERROR: Server is unwilling to perform: Account inactivated. Contact
>>> system administrator.
>>>
>>> Also with one enabled and one disabled admin, it shouldn't be possible
>>> to delete the enabled one.
>>>
>>>
>>> Please add some tests; you can extend the ones added in commit f8e7b51.
>>
>> Good catch with respect to disabled users, thank you.
>>
>> Reworked patch attached, see patch comments.
>>
>>
>>
>>
>
> Works well now, just the error message is incorrect: it mentions only
> deleting, not disabling.
>
> $ ipa user-disable admin
> ipa: ERROR: admin cannot be deleted because it is the last member of
> group admins

Updated the error message to say

"... cannot be deleted or disabled because ..."


-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jdennis-0078-2-prevent-last-admin-from-being-disabled.patch
Type: text/x-patch
Size: 51035 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120903/b19efc36/attachment.bin>

More information about the Freeipa-devel mailing list