On 1/3/2012 6:27 AM, Petr Vobornik wrote:
On 12/07/2011 12:22 AM, Rob Crittenden wrote:
Resending as a [PATCH]

I've created UI portion patch (#2101). The show command seems working
well, but the mod command is not returning the memberof attribute after
execution. It is needed for Web UI (if we want to support modification
of memberof attr there). Otherwise we would have to call show command
after each mod.

I'm blaming it on these lines in permission.py:340:
for r in result:
if not r.startswith('member'):
entry_attrs[r] = result[r]
return dn

Yes, that part should probably look something like:

  for attr in self.obj.aci_attributes:
      if attr in result:
          entry_attrs[attr] = result[attr]

Also another thing, in _make_aci() in aci.py there are 2 exclusivity rules:
 * type, filter, subtree and targetgroup are mutually exclusive
 * filter and memberof are mutually exclusive

Based on these rules it's possible to have memberof and targetgroup in the same permission, but not filter with targetgroup, which seems to be inconsistent because memberof generates a subset of ACI's generated by filter.

The filter generates an ACI with a generic 'targetfilter=<filter>', and memberof seems to be a convenience method to generate an ACI with a more specific 'targetfilter=(memberOf=<memberof>)'.

So the 2 rules should be combined because, like filter, memberof should be mutually exclusive from the other targets too.

Endi S. Dewata

Freeipa-devel mailing list

Reply via email to