[Freeipa-devel] [PATCH 0065] Don't allow users to create tokens with a specified ID
Nathaniel McCallum
npmccallum at redhat.com
Sat Sep 20 20:21:33 UTC 2014
On Wed, 2014-09-17 at 08:51 +0200, Jan Cholasta wrote:
> Hi,
>
> Dne 16.9.2014 v 19:32 Nathaniel McCallum napsal(a):
> > We perform this enforcement at the API level since:
> > * DS level enforcement would be difficult
> > * ipatokenUniqueID generation already happens at the API level
> >
> > It may be nice in the future to perform enforcement in the DS itself.
> > However, the question of the location of enforcement is largely an
> > aesthetic issue.
> >
> > https://fedorahosted.org/freeipa/ticket/4456
>
> That's a rather beefy check. I would prefer something like this (untested):
>
> group_dn = self.api.Object.group.get_dn(u'admins')
> filter = ldap.make_filter(
> {'krbprincipalname': context.principal, 'memberof': group_dn},
> ldap.MATCH_ALL)
> try:
> ldap.find_entries(
> base_dn=self.api.env.basedn, filter=filter, attrs_list=[''])
> except errors.NotFound:
> raise ValidationError(name='ipatokenuniqueid',
> error='can only be specified by admins')
Fixed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-npmccallum-0065.1-Don-t-allow-users-to-create-tokens-with-a-specified-.patch
Type: text/x-patch
Size: 2544 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140920/0feaf324/attachment.bin>
More information about the Freeipa-devel
mailing list