[Freeipa-devel] [PATCH] 552-557 Permissions v2 Web UI

Petr Vobornik pvoborni at redhat.com
Tue Mar 18 15:56:21 UTC 2014 

On 18.3.2014 15:07, Petr Viktorin wrote:
> On 03/18/2014 01:09 PM, Petr Vobornik wrote:
>> New revision for patch patch #557 attached.
>>
>> On 17.3.2014 15:22, Petr Viktorin wrote:
>>> On 03/14/2014 06:47 PM, Petr Vobornik wrote:
>>>> Main ACI UI changes are in patch #557. The rest are prerequisites.
>>>
>>> With this UI it is impossible to change from "Type-based" permissions to
>>> "General" ones. This seems to be remaining from the old model where
>>> permissions were type/filter/subtree/targetgroup were "classes" of a
>>> permission rather than co-existing as attributes.
>>>
>>> Rather the Target section should IMO look the same for all (non-managed)
>>> permissions, with the first items being:
>>>      Type:    [drop-down with a None option]
>>>      Subtree: [textbox that is disabled when a Type is selected]
>>>
>>> The Subtree should be a one-line textbox. It would be acceptable if the
>>> whole DN doesn't always fit, it's the first part that's important.
>>>
>>> Remember to only send Subtree if Type is (staying as | being set to)
>>> None.
>>>
>>> Also, the Add dialog should use this instead of the "Define by".
>>
>> Done
>>
>>>
>>>
>>>
>>> With managed permissions, if I try to change both included/excluded
>>> attribute list and the effective attributes, I get a validation error,
>>> which is good in CLI but it doesn't work well for the UI.
>>>
>>> I think it would be better to move "Managed permission overrides" below
>>> "Target", and make it read-only. And perhaps rename it to something like
>>> "Attribute breakdown".
>>> Managing the included/excluded lists directly is only useful for
>>> upgrades with a heavily customized policy, and for upgrades you need the
>>> CLI anyway. Normally, having only the attribute list editable should be
>>> fine.
>>
>> Done
>>
>>>
>>>
>>>
>>> For SYSTEM permissions (those which only have the SYSTEM flag), such as
>>> 'Add Automember Rebuild Membership Task', Permissions should not be
>>> editable.
>>> For old-style permissions (those without any flags), nothing is editable
>>> but everything should be. The attributelevelrights are missing because
>>> the entry doesn't have the ipaPermissionV2 objectclass yet (although
>>> it's being reported, which is "my" bug -- #4257).
>>
>> Fields were set to be editable if attributes level rights are missing.
>
> That solves things for normal legacy permissions, but not for the SYSTEM
> ones - those should be completely read-only.
>
> Also, changing the Permisisons checkboxes on these permissions doesn't
> mark them dirty.
>
> Otherwise the patches work great!
>

Fixed

New versions of 556 and 557 attached.

-- 
Petr Vobornik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0556-1-webui-reflect-enabled-state-in-child-widgets-of-a-mu.patch
Type: text/x-patch
Size: 2544 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140318/197986e5/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0557-2-webui-change-permissions-UI-to-v2.patch
Type: text/x-patch
Size: 47270 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140318/197986e5/attachment-0001.bin>

More information about the Freeipa-devel mailing list