Petr Viktorin wrote:
> When investigating this issue I became very annoyed by the star import
> hiding where names come from, so I did some cleanup first.
>
>
> In krbtpolicy, an ACIError is now raised if:
> - the user doesn't have permission to read any one of the ticket policy
> attributes on the requested entry
> (checked using attribute-level rights)
> - any ticket policy attribute from the default policy is not available
> (either not readable, or not there at all)
> (only checked if these are accessed, i.e. when the user entry doesn't
> override all of the defaults, or when requesting the global policy)
>
> That means if the user is not available at all, you get a NotFound, but
> if global policy is not found it's assumed that it's just unreadable.
That seems reasonable to me.
I also noticed a typo, ddoesn't
In the lower-level code, ldap2.py, we have some help
can_[read|write|etc] for managing rights. Would doing something similar
in baseldap be better than embedding the logic into each plugins?
So instead of this:
if rights is None:
rights = baseldap.get_effective_rights(
ldap, dn, self.obj.default_attributes)
if 'r' not in rights.get(attrname.lower(), ''):
raise errors.ACIError(
info=_('Ticket policy for %s could not be
read') %
keys[-1])
You'd have this:
if not baseldap.can_read(ldap, dn, attrname):
raise errors.ACIError(
info=_('Ticket policy for %s could not be
read') %
keys[-1])
This may end up fetching the rights multiple times depending on how many
things need to be read, so perhaps passing that in if you have it already.
rob
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
