On 08/25/2015 07:37 AM, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Fraser Tweedale wrote:
The attached patch fixes
https://fedorahosted.org/freeipa/ticket/5247.
Thanks,
Fraser
From 2cb4ab6eeedccc3471ed9bf983add4687ecd5c1a Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Mon, 24 Aug 2015 20:25:10 -0400
Subject: [PATCH] certprofile: prevent rename (modrdn)
Fixes: https://fedorahosted.org/freeipa/ticket/5247
---
ipalib/plugins/certprofile.py | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/ipalib/plugins/certprofile.py
b/ipalib/plugins/certprofile.py
index
007cc543406b7e5705fd7474f3685cd6a9ce6aca..a0ffa38608400860994c771e4eba81304ead27be
100644
--- a/ipalib/plugins/certprofile.py
+++ b/ipalib/plugins/certprofile.py
@@ -323,8 +323,9 @@ class certprofile_mod(LDAPUpdate):
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
**options):
ca_enabled_check()
# Once a profile id is set it cannot be changed
- if 'cn' in entry_attrs:
- raise errors.ACIError(info=_('cn is immutable'))
+ if 'rename' in options or 'cn' in entry_attrs:
+ raise errors.ProtectedEntryError(label='certprofile',
key=keys[0],
+ reason=_('Certificate profiles cannot be renamed'))
if 'file' in options:
with self.api.Backend.ra_certprofile as profile_api:
profile_api.disable_profile(keys[0])
ACK
can't we fix it by removing `rdn_is_primary_key = True`?
That would also remove the --rename option. Yes it's an API change but
if rename is forbidden than the option should not be even there, just
the result error will different.
--
Petr Vobornik
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code