With the --all --raw options, the code assumed attribute-level rights
were set on ipaPermissionV2 attributes, even on permissions that did not
have the objectclass.
Check that the data is present before using it.

https://fedorahosted.org/freeipa/ticket/4121

--
PetrĀ³
From 3fb216a5ff1e69527eb6c349cafc6965f641c238 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Tue, 21 Jan 2014 12:13:47 +0100
Subject: [PATCH] permission plugin: Do not assume attribute-level rights for
 new attributes are present

With the --all --raw options, the code assumed attribute-level rights
were set on ipaPermissionV2 attributes, even on permissions that did not
have the objectclass.
Check that the data is present before using it.

https://fedorahosted.org/freeipa/ticket/4121
---
 ipalib/plugins/permission.py | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index 16d5fc9cff7f3b40861db2c4623bc38c70d25692..e3c8dc6daf52c5dc78c73b4c94e309f3a251bd75 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -293,13 +293,16 @@ def postprocess_result(self, entry, options):
 
         rights = entry.get('attributelevelrights')
         if rights:
-            rights['memberof'] = rights['ipapermtargetfilter']
-            rights['targetgroup'] = rights['ipapermtarget']
+            if 'ipapermtargetfilter' in rights:
+                rights['memberof'] = rights['ipapermtargetfilter']
+            if 'ipapermtarget' in rights:
+                rights['targetgroup'] = rights['ipapermtarget']
 
-            type_rights = set(rights['ipapermtarget'])
-            type_rights.intersection_update(rights['ipapermlocation'])
-            rights['type'] = ''.join(sorted(type_rights,
-                                            key=rights['ipapermtarget'].index))
+                type_rights = set(rights['ipapermtarget'])
+                location_rights = set(rights.get('ipapermlocation', ''))
+                type_rights.intersection_update(location_rights)
+                rights['type'] = ''.join(sorted(
+                    type_rights, key=rights['ipapermtarget'].index))
 
             if not client_has_capability(options['version'], 'permissions2'):
                 for old_name, new_name in _DEPRECATED_OPTION_ALIASES.items():
-- 
1.8.4.2

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to