On 26.10.2012 11:58, Tomas Babej wrote:
In many ipa commands you are usually able to mess things up using --setattr for attributes that are handled by command options.using --setattr=attributename=: - I am able to set the attribute to None using --setattr=attributename=value: - I am often able to bypass validation in pre_callback that operates with options[] - I am able to override the value given using the option that handles this attribute. Therefore I am able to save a value that completely bypasses the rules even for compulsory attributes. The question is, should we support such usage? Make our commands foolproof? Or should we give the power to break the system to the unwary user? There is also a option of disabling --setattr for attributes that are fully handled via command options. I suppose that would not require extensive changes in the IPA code, as opposed to tiresome checking for these corner use cases in every command. Tomas
<https://www.redhat.com/archives/freeipa-devel/2012-April/msg00102.html> <https://www.redhat.com/archives/freeipa-devel/2012-May/msg00068.html> -- Jan Cholasta _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
