Endi Sukma Dewata wrote:
On 1/3/2012 6:27 AM, Petr Vobornik wrote:
On 12/07/2011 12:22 AM, Rob Crittenden wrote:
Resending as a [PATCH]

I've created UI portion patch (#2101). The show command seems working
well, but the mod command is not returning the memberof attribute after
execution. It is needed for Web UI (if we want to support modification
of memberof attr there). Otherwise we would have to call show command
after each mod.

I'm blaming it on these lines in permission.py:340:
for r in result:
if not r.startswith('member'):
entry_attrs[r] = result[r]
return dn

Yes, that part should probably look something like:

for attr in self.obj.aci_attributes:
if attr in result:
entry_attrs[attr] = result[attr]

I'm not sure why that was there unless it is to exclude members of the permission (remember, we show things in reverse).

Also another thing, in _make_aci() in aci.py there are 2 exclusivity rules:
* type, filter, subtree and targetgroup are mutually exclusive
* filter and memberof are mutually exclusive

Based on these rules it's possible to have memberof and targetgroup in
the same permission, but not filter with targetgroup, which seems to be
inconsistent because memberof generates a subset of ACI's generated by
filter.

The filter generates an ACI with a generic 'targetfilter=<filter>', and
memberof seems to be a convenience method to generate an ACI with a more
specific 'targetfilter=(memberOf=<memberof>)'.

So the 2 rules should be combined because, like filter, memberof should
be mutually exclusive from the other targets too.


This is specifically allowed because it lets you restrict the members of the memberof group to modify only the values of the targetgroup (e.g. group membership). If anything I'd relax it so filter and targetgroup aren't mutually exclusive. I'm not sure of the use case for this though.

rob

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to