[Freeipa-devel] [PATCH 78] Ticket #2979 - prevent last admin from being disabled
Martin Kosek
mkosek at redhat.com
Mon Sep 3 16:14:07 UTC 2012
On 09/03/2012 06:00 PM, Petr Viktorin wrote:
> On 09/03/2012 04:41 PM, John Dennis wrote:
>> On 09/03/2012 07:53 AM, Petr Viktorin wrote:
>>> On 08/26/2012 07:19 PM, John Dennis wrote:
>>>> On 08/20/2012 01:37 PM, Petr Viktorin wrote:
>>>>> (Sorry if you're getting this twice; I didn't send it to the list)
>>>>>
>>>>> On 08/16/2012 08:38 PM, John Dennis wrote:
>>>>>>
>>>>>> --
>>>>>> John Dennis <jdennis at redhat.com>
>>>>>>
>>>>>> Looking to carve out IT costs?
>>>>>> www.redhat.com/carveoutcosts/
>>>>>>
>>>>>> freeipa-jdennis-0078-Ticket-2979-prevent-last-admin-from-being-disabled.patch
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> >From c47109c63530e188db76986fdda48c76bf681d10 Mon Sep 17 00:00:00
>>>>>> 2001
>>>>>> From: John Dennis<jdennis at redhat.com>
>>>>>> Date: Thu, 16 Aug 2012 20:28:44 -0400
>>>>>> Subject: [PATCH 78] Ticket #2979 - prevent last admin from being
>>>>>> disabled
>>>>>> Content-Type: text/plain; charset="utf-8"
>>>>>> Content-Transfer-Encoding: 8bit
>>>>>>
>>>>>> We prevent the last member of the admin group from being deleted. The
>>>>>> same check needs to be performed when disabling a user.
>>>>>>
>>>>>> Moved the code in del_user to a common subroutine and call it from
>>>>>> both user_del and user_disable. Note, unlike user_del user_disable
>>>>>> does not have a 'pre' callback therefore the check function is called
>>>>>> in user_disable's execute routine.
>>>>>
>>>>> This should also prevent disabling all admins if there's more than one:
>>>>>
>>>>> # ipa user-add admin2 --first=a --last=b
>>>>> -------------------
>>>>> Added user "admin2"
>>>>> -------------------
>>>>> ...
>>>>> # ipa group-add-member admins --user=admin2
>>>>> -------------------------
>>>>> Number of members added 1
>>>>> -------------------------
>>>>> # ipa user-disable admin2
>>>>> ------------------------------
>>>>> Disabled user account "admin2"
>>>>> ------------------------------
>>>>> # ipa user-disable admin
>>>>> ------------------------------
>>>>> Disabled user account "admin"
>>>>> ------------------------------
>>>>> # ipa ping
>>>>> ipa: ERROR: Server is unwilling to perform: Account inactivated.
>>>>> Contact
>>>>> system administrator.
>>>>>
>>>>> Also with one enabled and one disabled admin, it shouldn't be possible
>>>>> to delete the enabled one.
>>>>>
>>>>>
>>>>> Please add some tests; you can extend the ones added in commit f8e7b51.
>>>>
>>>> Good catch with respect to disabled users, thank you.
>>>>
>>>> Reworked patch attached, see patch comments.
>>>>
>>>>
>>>>
>>>>
>>>
>>> Works well now, just the error message is incorrect: it mentions only
>>> deleting, not disabling.
>>>
>>> $ ipa user-disable admin
>>> ipa: ERROR: admin cannot be deleted because it is the last member of
>>> group admins
>>
>> Updated the error message to say
>>
>> "... cannot be deleted or disabled because ..."
>>
>>
>
> ACK.
> Please push John's patch 81 before this one; that way it applies cleanly.
>
Pushed to master, ipa-3-0.
Martin
More information about the Freeipa-devel
mailing list