Re: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0072-rights-check.patch
On 11/1/2010 9:28 AM, Adam Young wrote: Check effective rights. If the right is not explicitly allowed, show the field as read only. It seems to be working, but I think it has to wait until the attributelevelrights is returned in the JSON response because without it the UI would become unusable because all fields would be disabled. That is part of the patch. attributelevelrights has been added as a flag to the JSON request. The change to baseldap.py will only apply on to of the change made to return the rights. I suspect that what you are seeing is that there is some holes in the coverage of the attribute level rights, and I made the decision to default to don't allow changes. Thus, this code needs to go in before we can identify places where the rights are not being properly reported, otherwise, we just won't know. Still NACK. I have tested this again. It looks like the UI does not send the --rights parameter which is required to get the attributelevelrights. With this patch even the admin can't edit anything. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0072-rights-check.patch
On 11/3/2010 8:53 AM, Adam Young wrote:
Still NACK. I have tested this again. It looks like the UI does not
send the --rights parameter which is required to get the
attributelevelrights. With this patch even the admin can't edit anything.
Ah...that was because I did it as two commits, and only made a patch out
of one.
Still too many disabled inputs. If you login as admin and open admin's
details page, the only editable fields are last name and full name.
(State is also editable but I suspect it's because this field doesn't
support rights yet.) According to attributelevelrights I should be able
to edit a number of attributes including uidNumber, gidNumber,
telephoneNumber, but that's not the case. Do you see a different
behavior when you test it? Am I missing some other patches? Btw, in your
patch I think rights should be set to 'true' instead of 1.
attributelevelrights: {
aci: rscwo,
cn: rscwo,
description: rscwo,
gecos: rscwo,
gidNumber: rscwo,
homeDirectory: rscwo,
inetUserHttpURL: rscwo,
inetUserStatus: rscwo,
ipaUniqueID: rsc,
krbCanonicalName: rscwo,
krbExtraData: rscwo,
krbLastFailedAuth: rscwo,
krbLastPwdChange: rscwo,
krbLastSuccessfulAuth: rscwo,
krbLoginFailedCount: rscwo,
krbMaxRenewableAge: rscwo,
krbMaxTicketLife: rscwo,
krbPasswordExpiration: rscwo,
krbPrincipalAliases: rscwo,
krbPrincipalExpiration: rscwo,
krbPrincipalKey: wo,
krbPrincipalName: rscwo,
krbPrincipalType: rscwo,
krbPwdHistory: rscwo,
krbPwdPolicyReference: rscwo,
krbTicketFlags: rscwo,
krbTicketPolicyReference: rscwo,
krbUPEnabled: rscwo,
loginShell: rscwo,
memberOf: rsc,
mepManagedEntry: rscwo,
nsAccountLock: rscwo,
objectClass: rscwo,
seeAlso: rscwo,
sn: rscwo,
telephoneNumber: rscwo,
uid: rscwo,
uidNumber: rscwo,
userPassword: wo
},
--
Endi S. Dewata
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0072-rights-check.patch
On 11/03/2010 12:55 PM, Endi Sukma Dewata wrote:
On 11/3/2010 8:53 AM, Adam Young wrote:
Still NACK. I have tested this again. It looks like the UI does not
send the --rights parameter which is required to get the
attributelevelrights. With this patch even the admin can't edit
anything.
Ah...that was because I did it as two commits, and only made a patch out
of one.
Still too many disabled inputs. If you login as admin and open admin's
details page, the only editable fields are last name and full name.
(State is also editable but I suspect it's because this field doesn't
support rights yet.) According to attributelevelrights I should be able
to edit a number of attributes including uidNumber, gidNumber,
telephoneNumber, but that's not the case. Do you see a different
behavior when you test it? Am I missing some other patches? Btw, in
your patch I think rights should be set to 'true' instead of 1.
attributelevelrights: {
aci: rscwo,
cn: rscwo,
description: rscwo,
gecos: rscwo,
gidNumber: rscwo,
homeDirectory: rscwo,
inetUserHttpURL: rscwo,
inetUserStatus: rscwo,
ipaUniqueID: rsc,
krbCanonicalName: rscwo,
krbExtraData: rscwo,
krbLastFailedAuth: rscwo,
krbLastPwdChange: rscwo,
krbLastSuccessfulAuth: rscwo,
krbLoginFailedCount: rscwo,
krbMaxRenewableAge: rscwo,
krbMaxTicketLife: rscwo,
krbPasswordExpiration: rscwo,
krbPrincipalAliases: rscwo,
krbPrincipalExpiration: rscwo,
krbPrincipalKey: wo,
krbPrincipalName: rscwo,
krbPrincipalType: rscwo,
krbPwdHistory: rscwo,
krbPwdPolicyReference: rscwo,
krbTicketFlags: rscwo,
krbTicketPolicyReference: rscwo,
krbUPEnabled: rscwo,
loginShell: rscwo,
memberOf: rsc,
mepManagedEntry: rscwo,
nsAccountLock: rscwo,
objectClass: rscwo,
seeAlso: rscwo,
sn: rscwo,
telephoneNumber: rscwo,
uid: rscwo,
uidNumber: rscwo,
userPassword: wo
},
Now defaulting to rscwo, which means that some fields will show up
editable even if the user can't change them, due to effectiverights not
being returned on all fields.
From 7ab58087ce3eba51526b8ca1cc3c055cf1b2cb13 Mon Sep 17 00:00:00 2001
From: Adam Young ayo...@redhat.com
Date: Fri, 29 Oct 2010 14:24:23 -0400
Subject: [PATCH] rights check
if the field does not have a 'w' for writable in its rights, disable it.
---
install/static/details.js| 50 +++---
install/static/test/details_tests.js | 24 +++-
ipalib/plugins/baseldap.py |2 +-
3 files changed, 58 insertions(+), 18 deletions(-)
diff --git a/install/static/details.js b/install/static/details.js
index 4bc1791..a79823e 100644
--- a/install/static/details.js
+++ b/install/static/details.js
@@ -26,6 +26,13 @@
var ipa_details_cache = {};
+IPA.is_field_writable = function(rights){
+if (!rights){
+alert('no right');
+}
+return rights.indexOf('w') -1;
+}
+
function ipa_details_field(spec) {
spec = spec || {};
@@ -75,15 +82,21 @@ function ipa_details_field(spec) {
}
var value = entry_attrs[this.name];
+var rights = 'rscwo';
+if (entry_attrs.attributelevelrights){
+rights = entry_attrs.attributelevelrights[this.name] || 'rscwo' ;
+}
if (value) {
dd = ipa_create_first_dd(
-this.name, ipa_create_input(obj_name, this.name, value[0],hint_span)
+this.name, ipa_create_input(obj_name, this.name, value[0],hint_span,rights)
);
dt.after(dd);
var last_dd = dd;
for (var i = 1; i value.length; ++i) {
dd = ipa_create_other_dd(
-this.name, ipa_create_input(obj_name, this.name, value[i],hint_span)
+this.name,
+ipa_create_input(obj_name, this.name, value[i],hint_span,
+ rights)
);
last_dd.after(dd);
last_dd = dd;
@@ -95,14 +108,15 @@ function ipa_details_field(spec) {
last_dd.after(dd);
}
} else {
-if (multivalue) {
+if (multivalue) { //TODO Add rights check
dd = ipa_create_first_dd(
this.name, _ipa_a_add_template.replace('A', this.name) /*.append(hint_span)*/
);
dt.after(dd);
} else {
dd = ipa_create_first_dd(
-this.name, ipa_create_input(obj_name, this.name, '') /*.append(hint_span)*/
+this.name, ipa_create_input(
+obj_name, this.name,'',hint_span,rights)
);
dt.after(dd);
}
@@ -344,7 +358,7 @@ function ipa_details_load(container, pkey, on_win, on_fail)
params = [];
}
ipa_cmd(
-'show', params, {all: true, rights: 1 },
Re: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0072-rights-check.patch
On 11/3/2010 2:50 PM, Adam Young wrote: Now defaulting to rscwo, which means that some fields will show up editable even if the user can't change them, due to effectiverights not being returned on all fields. Could you rebase it against the latest in master? The patch cannot be applied. Thanks. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0072-rights-check.patch
On 10/29/2010 09:31 PM, Endi Sukma Dewata wrote: On 10/29/2010 2:50 PM, Adam Young wrote: Check effective rights. If the right is not explicitly allowed, show the field as read only. It seems to be working, but I think it has to wait until the attributelevelrights is returned in the JSON response because without it the UI would become unusable because all fields would be disabled. That is part of the patch. attributelevelrights has been added as a flag to the JSON request. The change to baseldap.py will only apply on to of the change made to return the rights. I suspect that what you are seeing is that there is some holes in the coverage of the attribute level rights, and I made the decision to default to don't allow changes. Thus, this code needs to go in before we can identify places where the rights are not being properly reported, otherwise, we just won't know. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] freeipa-admiyo-freeipa-0072-rights-check.patch
On 10/29/2010 2:50 PM, Adam Young wrote: Check effective rights. If the right is not explicitly allowed, show the field as read only. It seems to be working, but I think it has to wait until the attributelevelrights is returned in the JSON response because without it the UI would become unusable because all fields would be disabled. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
