Check effective rights. If the right is not explicitly allowed, show the field as read only.




From 2ecf95edc367c4e14bdf1f1981d088f7e16f8345 Mon Sep 17 00:00:00 2001
From: Adam Young <ayo...@redhat.com>
Date: Fri, 29 Oct 2010 14:24:23 -0400
Subject: [PATCH] rights check
 if the field does not have a 'w' for writable in its rights, disable it.

---
 install/static/details.js            |   46 +++++++++++++++++++++++----------
 install/static/test/details_tests.js |   24 +++++++++++++++++-
 ipalib/plugins/baseldap.py           |    2 +-
 3 files changed, 56 insertions(+), 16 deletions(-)

diff --git a/install/static/details.js b/install/static/details.js
index 4bc17910663d1fc155f321594a40c72f37696051..9193f18cddb03bd58d3e4622d98774855f343fe4 100644
--- a/install/static/details.js
+++ b/install/static/details.js
@@ -26,6 +26,13 @@
 
 var ipa_details_cache = {};
 
+IPA.is_field_writable = function(rights){
+    if (!rights){
+        alert('no right');
+    }
+    return rights.indexOf('w') > -1;
+}
+
 function ipa_details_field(spec) {
 
     spec = spec || {};
@@ -75,15 +82,21 @@ function ipa_details_field(spec) {
         }
 
         var value = entry_attrs[this.name];
+        var rights = 'rsc';
+        if (entry_attrs.attributelevelrights){
+            rights = entry_attrs.attributelevelrights[this.name] || 'rsc' ;
+        }
         if (value) {
             dd = ipa_create_first_dd(
-                this.name, ipa_create_input(obj_name, this.name, value[0],hint_span)
+                this.name, ipa_create_input(obj_name, this.name, value[0],hint_span,rights)
             );
             dt.after(dd);
             var last_dd = dd;
             for (var i = 1; i < value.length; ++i) {
                 dd = ipa_create_other_dd(
-                    this.name, ipa_create_input(obj_name, this.name, value[i],hint_span)
+                    this.name,
+                    ipa_create_input(obj_name, this.name, value[i],hint_span,
+                                     rights)
                 );
                 last_dd.after(dd);
                 last_dd = dd;
@@ -95,14 +108,15 @@ function ipa_details_field(spec) {
                 last_dd.after(dd);
             }
         } else {
-            if (multivalue) {
+            if (multivalue) {  //TODO Add rights check
                 dd = ipa_create_first_dd(
                     this.name, _ipa_a_add_template.replace('A', this.name) /*.append(hint_span)*/
                 );
                 dt.after(dd);
             } else {
                 dd = ipa_create_first_dd(
-                    this.name, ipa_create_input(obj_name, this.name, '') /*.append(hint_span)*/
+                    this.name, ipa_create_input(
+                        obj_name, this.name,'',hint_span,rights)
                 );
                 dt.after(dd);
             }
@@ -501,13 +515,13 @@ var _ipa_param_type_2_handler_map = {
  * arguments:
  *   attr - LDAP attribute name
  *   value - the attributes value */
-function ipa_create_input(obj_name, attr, value,hint)
+function ipa_create_input(obj_name, attr, value,hint,rights)
 {
     var input = $("<label>",{html:value.toString()});
     var param_info = ipa_get_param_info(obj_name, attr);
     if (!param_info) {
         /* no information about the param is available, default to text input */
-        input = _ipa_create_text_input(attr, value, null);
+        input = _ipa_create_text_input(attr, value, null,rights);
         if (hint){
             input.after(hint);
         }
@@ -520,7 +534,7 @@ function ipa_create_input(obj_name, attr, value,hint)
         /* call handler by param class */
         var handler = _ipa_param_type_2_handler_map[param_info['class']];
         if (handler) {
-            input = handler(attr, value, param_info);
+            input = handler(attr, value, param_info,rights);
             if (param_info['multivalue'] || param_info['class'] == 'List') {
                 input.append( _ipa_create_remove_link(attr, param_info));
             }
@@ -554,7 +568,7 @@ function _ipa_create_remove_link(attr, param_info)
 
 
 /* creates a input box for editing a string attribute */
-function _ipa_create_text_input(attr, value, param_info)
+function _ipa_create_text_input(attr, value, param_info, rights)
 {
 
     function calculate_dd_index(jobj){
@@ -585,8 +599,8 @@ function _ipa_create_text_input(attr, value, param_info)
         }
     }
 
-    var input = $("<Span />");
-    input.append($("<input/>",{
+    var span = $("<Span />");
+    var input = $("<input/>",{
         type:"text",
         name:attr,
         value:value.toString(),
@@ -598,9 +612,13 @@ function _ipa_create_text_input(attr, value, param_info)
             var text = $(this).val();
             validate_input(text, param_info,error_link);
         }
+    }).appendTo(span) ;
 
-    }));
-    input.append($("<a/>",{
+    if (!IPA.is_field_writable(rights)){
+        input.attr('disabled', 'disabled');
+    }
+
+    span.append($("<a/>",{
         html:"undo",
         "class":"ui-state-highlight ui-corner-all",
         style:"display:none",
@@ -624,12 +642,12 @@ function _ipa_create_text_input(attr, value, param_info)
             validate_input(previous_value, param_info,error_link);
         }
     }));
-    input.append($("<span/>",{
+    span.append($("<span/>",{
         html:"Does not match pattern",
         "class":"ui-state-error ui-corner-all",
         style:"display:none"
     }));
-    return input;
+    return span;
 }
 
 function ipa_details_reset(container)
diff --git a/install/static/test/details_tests.js b/install/static/test/details_tests.js
index 4a60216efe8a1e6699347ed6c06b2da5874703bd..bd519047a0fa3796394f9379b476c96d0930d55c 100644
--- a/install/static/test/details_tests.js
+++ b/install/static/test/details_tests.js
@@ -173,7 +173,8 @@ test("Testing  _ipa_create_text_input().", function(){
 
     var name = "name";
     var value="value";
-    var input = _ipa_create_text_input(name, value);
+    var rights = 'rscwo'
+    var input = _ipa_create_text_input(name, value, null,rights);
     ok(input,"input not null");
 
     var text = input.find('input');
@@ -185,6 +186,27 @@ test("Testing  _ipa_create_text_input().", function(){
 });
 
 
+test("Testing  _ipa_create_text_input() read only .", function(){
+
+    var name = "name";
+    var value="value";
+    var rights = 'rsc'
+    var input = _ipa_create_text_input(name, value, null,rights);
+    ok(input,"input not null");
+
+    var text = input.find('input');
+    ok(text);
+
+    same(text[0].name,name );
+    same(text[0].value,value );
+    same(text[0].type,"text" );
+    ok(text[0].disabled);
+
+});
+
+
+
+
 test("Testing ipa_details_section_setup()",function(){
 
     var section = ipa_stanza({name: 'IDIDID', label: 'NAMENAMENAME'}).
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 97a02946b943de68a7ee3f703ba1d55e7cb08700..2f6d9e176ab6296650063291f4c2d0a977a36c0d 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -569,7 +569,7 @@ class LDAPRetrieve(LDAPQuery):
                 rdict = {}
                 for r in rights:
                     (k,v) = r.split(':')
-                    rdict[k] = v
+                    rdict[k.strip().lower()] = v
                 entry_attrs['attributelevelrights'] = rdict
 
         for callback in self.POST_CALLBACKS:
-- 
1.7.1

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to