Adam Young wrote:
On 11/03/2010 12:55 PM, Endi Sukma Dewata wrote:
On 11/3/2010 8:53 AM, Adam Young wrote:
Still NACK. I have tested this again. It looks like the UI does not
send the --rights parameter which is required to get the
attributelevelrights. With this patch even the admin can't edit
anything.


Ah...that was because I did it as two commits, and only made a patch out
of one.

Still too many disabled inputs. If you login as admin and open admin's
details page, the only editable fields are last name and full name.
(State is also editable but I suspect it's because this field doesn't
support rights yet.) According to attributelevelrights I should be able
to edit a number of attributes including uidNumber, gidNumber,
telephoneNumber, but that's not the case. Do you see a different
behavior when you test it? Am I missing some other patches? Btw, in
your patch I think rights should be set to 'true' instead of 1.

"attributelevelrights": {
"aci": "rscwo",
"cn": "rscwo",
"description": "rscwo",
"gecos": "rscwo",
"gidNumber": "rscwo",
"homeDirectory": "rscwo",
"inetUserHttpURL": "rscwo",
"inetUserStatus": "rscwo",
"ipaUniqueID": "rsc",
"krbCanonicalName": "rscwo",
"krbExtraData": "rscwo",
"krbLastFailedAuth": "rscwo",
"krbLastPwdChange": "rscwo",
"krbLastSuccessfulAuth": "rscwo",
"krbLoginFailedCount": "rscwo",
"krbMaxRenewableAge": "rscwo",
"krbMaxTicketLife": "rscwo",
"krbPasswordExpiration": "rscwo",
"krbPrincipalAliases": "rscwo",
"krbPrincipalExpiration": "rscwo",
"krbPrincipalKey": "wo",
"krbPrincipalName": "rscwo",
"krbPrincipalType": "rscwo",
"krbPwdHistory": "rscwo",
"krbPwdPolicyReference": "rscwo",
"krbTicketFlags": "rscwo",
"krbTicketPolicyReference": "rscwo",
"krbUPEnabled": "rscwo",
"loginShell": "rscwo",
"memberOf": "rsc",
"mepManagedEntry": "rscwo",
"nsAccountLock": "rscwo",
"objectClass": "rscwo",
"seeAlso": "rscwo",
"sn": "rscwo",
"telephoneNumber": "rscwo",
"uid": "rscwo",
"uidNumber": "rscwo",
"userPassword": "wo"
},

Now defaulting to rscwo, which means that some fields will show up
editable even if the user can't change them, due to effectiverights not
being returned on all fields.

The problem is that the effective rights is not returned properly, the account in question (admin) doesn't have those attributes at all. I don't think this is an appropriate fix.

rob

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to