Re: [Freeipa-devel] [PATCH] 227 Editable sshkey field after upgrade
On 11/27/2012 04:48 PM, Endi Sukma Dewata wrote: On 11/20/2012 10:46 AM, Petr Vobornik wrote: I think that ipaexternalmember, gidnumber and macaddress attributes might cause trouble as well. They are all in objectclasses that are added to objects on-demand (like ipasshuser/ipasshhost is). Honza Thanks for the catch. There is a problem with macaddress. Ipaexternalmember and gid number aren't affected because group is converted by actions, not by editing a field. I additionally conditioned the write exception on having write rights for objectclass. Update will fail without it. Updated patch attached. ACK. Pushed to master, ipa-3-0. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 227 Editable sshkey field after upgrade
On 11/20/2012 10:46 AM, Petr Vobornik wrote: I think that ipaexternalmember, gidnumber and macaddress attributes might cause trouble as well. They are all in objectclasses that are added to objects on-demand (like ipasshuser/ipasshhost is). Honza Thanks for the catch. There is a problem with macaddress. Ipaexternalmember and gid number aren't affected because group is converted by actions, not by editing a field. I additionally conditioned the write exception on having write rights for objectclass. Update will fail without it. Updated patch attached. ACK. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 227 Editable sshkey field after upgrade
On 11/20/2012 10:48 AM, Jan Cholasta wrote: Hi, On 19.11.2012 13:38, Petr Vobornik wrote: After upgrade, sshkeys of existing users and hosts are not editable because attribute level rights are not send to Web UI due to lack of ipasshuser object class. 'w_if_no_aci' attribute flag was introduced to bypass this issue. It makes attribute writable when AttributeLevelRights are not present. It was set for sshkeys_field. https://fedorahosted.org/freeipa/ticket/3260 I think that ipaexternalmember, gidnumber and macaddress attributes might cause trouble as well. They are all in objectclasses that are added to objects on-demand (like ipasshuser/ipasshhost is). Honza Thanks for the catch. There is a problem with macaddress. Ipaexternalmember and gid number aren't affected because group is converted by actions, not by editing a field. I additionally conditioned the write exception on having write rights for objectclass. Update will fail without it. Updated patch attached. -- Petr Vobornik From 7af1e585f58773083ea17ca228b41d2caee655e1 Mon Sep 17 00:00:00 2001 From: Petr Vobornik Date: Mon, 19 Nov 2012 13:22:36 +0100 Subject: [PATCH] Editable sshkey, mac address field after upgrade After upgrade, sshkeys of existing users and hosts or mac address are not editable because attribute level rights are not send to Web UI due to lack of ipasshuser/ieee802device object classes. 'w_if_no_aci' attribute flag was introduced to bypass this issue. It makes attribute writable when AttributeLevelRights for the attribute are not present and only when user posses rights for modifying object class attribute. The flag was set for sshkeys_field and mac address field. https://fedorahosted.org/freeipa/ticket/3260 --- install/ui/field.js | 17 +++-- install/ui/host.js | 3 ++- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/install/ui/field.js b/install/ui/field.js index c5c999e685500765f09af084531def144bbbd10b..612c8eb5aa76848d23961c7b66c89b30539a03ac 100644 --- a/install/ui/field.js +++ b/install/ui/field.js @@ -190,7 +190,17 @@ IPA.field = function(spec) { if (record.attributelevelrights) { var rights = record.attributelevelrights[that.param]; -if (!rights || rights.indexOf('w') < 0) { +var oc_rights= record.attributelevelrights['objectclass']; +var write_oc = oc_rights && oc_rights.indexOf('w') > -1; + +// Some objects in LDAP may not have set proper object class and +// therefore server doesn't send proper attribute rights. Flag +// 'w_if_no_aci' should be used when we want to ensure that UI +// shows edit interface in such cases. Usable only when user can +// modify object classes. +// For all others, lack of rights means no write. +if ((!rights && !(that.flags.indexOf('w_if_no_aci') > -1 && write_oc)) || + (rights && rights.indexOf('w') < 0)) { that.writable = false; } } @@ -644,7 +654,10 @@ IPA.sshkeys_field = function(spec) { var that = IPA.multivalued_field(spec); -that.sshfp_attr = 'sshpubkeyfp' || spec.sshfp_attr; +// Fixes upgrade issue. When attr rights are missing due to lack of object class. +that.flags = spec.flags || ['w_if_no_aci']; + +that.sshfp_attr = spec.sshfp_attr || 'sshpubkeyfp'; that.load = function(record) { diff --git a/install/ui/host.js b/install/ui/host.js index a2b91b6b36186ee6ff26d24166dbe55355216ce9..6aff2c50dfebb6d9a61cfe1a4667989f25b9cee4 100644 --- a/install/ui/host.js +++ b/install/ui/host.js @@ -71,7 +71,8 @@ IPA.host.entity = function(spec) { }, { type: 'multivalued', -name: 'macaddress' +name: 'macaddress', +flags: ['w_if_no_aci'] } ] }, -- 1.7.11.7 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 227 Editable sshkey field after upgrade
Hi, On 19.11.2012 13:38, Petr Vobornik wrote: After upgrade, sshkeys of existing users and hosts are not editable because attribute level rights are not send to Web UI due to lack of ipasshuser object class. 'w_if_no_aci' attribute flag was introduced to bypass this issue. It makes attribute writable when AttributeLevelRights are not present. It was set for sshkeys_field. https://fedorahosted.org/freeipa/ticket/3260 I think that ipaexternalmember, gidnumber and macaddress attributes might cause trouble as well. They are all in objectclasses that are added to objects on-demand (like ipasshuser/ipasshhost is). Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 227 Editable sshkey field after upgrade
On 11/19/2012 6:38 AM, Petr Vobornik wrote: After upgrade, sshkeys of existing users and hosts are not editable because attribute level rights are not send to Web UI due to lack of ipasshuser object class. 'w_if_no_aci' attribute flag was introduced to bypass this issue. It makes attribute writable when AttributeLevelRights are not present. It was set for sshkeys_field. https://fedorahosted.org/freeipa/ticket/3260 ACK. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 227 Editable sshkey field after upgrade
After upgrade, sshkeys of existing users and hosts are not editable because attribute level rights are not send to Web UI due to lack of ipasshuser object class. 'w_if_no_aci' attribute flag was introduced to bypass this issue. It makes attribute writable when AttributeLevelRights are not present. It was set for sshkeys_field. https://fedorahosted.org/freeipa/ticket/3260 -- Petr Vobornik From 24e794a42c8650c78d8a9d761a8be8c03d6d663c Mon Sep 17 00:00:00 2001 From: Petr Vobornik Date: Mon, 19 Nov 2012 13:22:36 +0100 Subject: [PATCH] Editable sshkey field after upgrade After upgrade, sshkeys of existing users and hosts are not editable because attribute level rights are not send to Web UI due to lack of ipasshuser object class. 'w_if_no_aci' attribute flag was introduced to bypass this issue. It makes attribute writable when AttributeLevelRights are not present. It was set for sshkeys_field. https://fedorahosted.org/freeipa/ticket/3260 --- install/ui/field.js | 14 -- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/install/ui/field.js b/install/ui/field.js index c5c999e685500765f09af084531def144bbbd10b..e072c72a1d2948a97ff15f7b4ff42c4c749adfcf 100644 --- a/install/ui/field.js +++ b/install/ui/field.js @@ -190,7 +190,14 @@ IPA.field = function(spec) { if (record.attributelevelrights) { var rights = record.attributelevelrights[that.param]; -if (!rights || rights.indexOf('w') < 0) { + +// Some objects in LDAP may not have set proper object class and +// therefore server doesn't send proper attribute rights. Flag +// 'w_if_no_aci' should be used when we want to ensure that UI +// shows edit interface in such cases. +// For all others lack of rights means no write. +if ((!rights && that.flags.indexOf('w_if_no_aci') < 0) || + (rights && rights.indexOf('w') < 0)) { that.writable = false; } } @@ -644,7 +651,10 @@ IPA.sshkeys_field = function(spec) { var that = IPA.multivalued_field(spec); -that.sshfp_attr = 'sshpubkeyfp' || spec.sshfp_attr; +// Fixes upgrade issue. When attr rights are missing due to lack of object class. +that.flags = spec.flags || ['w_if_no_aci']; + +that.sshfp_attr = spec.sshfp_attr || 'sshpubkeyfp'; that.load = function(record) { -- 1.7.11.7 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel