[Freeipa-devel] [PATCH] 908 adjust search so that it works for non-admin users

[Petr Vobornik]

Non-admin user can now search for:
- hosts
- hostgroups
- netgroups
- servers
- services

(Fixes ACI issue where search returns nothing when user does't have
read rights for an attribute in search_attributes.

https://fedorahosted.org/freeipa/ticket/5167
--
Petr Vobornik
From ec944dade52650225143c7e72320540f90374f79 Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Wed, 12 Aug 2015 10:35:38 +0200
Subject: [PATCH] adjust search so that it works for non-admin users

Non-admin user can now search for:
- hosts
- hostgroups
- netgroups
- servers
- services

(Fixes ACI issue where search returns nothing when user does't have
read rights for an attribute in search_attributes.

https://fedorahosted.org/freeipa/ticket/5167
---
 ipalib/plugins/host.py  | 2 +-
 ipalib/plugins/hostgroup.py | 1 +
 ipalib/plugins/netgroup.py  | 4 
 ipalib/plugins/server.py| 1 +
 ipalib/plugins/service.py   | 3 +--
 5 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index 410b4bd120743a6ad5787fbd2a55534b4f108601..3e882aefd210df73b7ffd15b5a4c1d2fc4173536 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -292,7 +292,7 @@ class host(LDAPObject):
 # object_class_config = 'ipahostobjectclasses'
 search_attributes = [
 'fqdn', 'description', 'l', 'nshostlocation', 'krbprincipalname',
-'nshardwareplatform', 'nsosversion', 'managedby', 'ipaallowedtoperform'
+'nshardwareplatform', 'nsosversion', 'managedby',
 ]
 default_attributes = [
 'fqdn', 'description', 'l', 'nshostlocation', 'krbprincipalname',
diff --git a/ipalib/plugins/hostgroup.py b/ipalib/plugins/hostgroup.py
index fafe40ad9a8d1693505b7d90e5d8fd12202a894b..30d474d80905f02c4f88742a2677220c150b3c7f 100644
--- a/ipalib/plugins/hostgroup.py
+++ b/ipalib/plugins/hostgroup.py
@@ -78,6 +78,7 @@ class hostgroup(LDAPObject):
 object_name_plural = _('host groups')
 object_class = ['ipaobject', 'ipahostgroup']
 permission_filter_objectclasses = ['ipahostgroup']
+search_attributes = ['cn', 'description', 'member', 'memberof']
 default_attributes = ['cn', 'description', 'member', 'memberof',
 'memberindirect', 'memberofindirect',
 ]
diff --git a/ipalib/plugins/netgroup.py b/ipalib/plugins/netgroup.py
index d535b383e048fd12d08bde9247f158d183a5bcad..e69aaf94a035d0c4af28585f84b4b1f8105b3fc3 100644
--- a/ipalib/plugins/netgroup.py
+++ b/ipalib/plugins/netgroup.py
@@ -86,6 +86,10 @@ class netgroup(LDAPObject):
 object_name_plural = _('netgroups')
 object_class = ['ipaobject', 'ipaassociation', 'ipanisnetgroup']
 permission_filter_objectclasses = ['ipanisnetgroup']
+search_attributes = [
+'cn', 'description', 'memberof', 'externalhost', 'nisdomainname',
+'memberuser', 'memberhost', 'member', 'usercategory', 'hostcategory',
+]
 default_attributes = [
 'cn', 'description', 'memberof', 'externalhost', 'nisdomainname',
 'memberuser', 'memberhost', 'member', 'memberindirect',
diff --git a/ipalib/plugins/server.py b/ipalib/plugins/server.py
index 7fc44197343dbb651782fbf79993cbbe8818efed..5808c9c5ea78fce4a15cd2e49740fbe20bca8358 100644
--- a/ipalib/plugins/server.py
+++ b/ipalib/plugins/server.py
@@ -38,6 +38,7 @@ class server(LDAPObject):
 object_name = _('server')
 object_name_plural = _('servers')
 object_class = ['top']
+search_attributes = ['cn']
 default_attributes = [
 'cn', 'iparepltopomanagedsuffix', 'ipamindomainlevel',
 'ipamaxdomainlevel'
diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py
index a5e10921beac8b232f6b74640ef17713f7297a3d..a21d004c8a70d50385c94b12447d5fd5bc0851b4 100644
--- a/ipalib/plugins/service.py
+++ b/ipalib/plugins/service.py
@@ -391,8 +391,7 @@ class service(LDAPObject):
 ]
 possible_objectclasses = ['ipakrbprincipal', 'ipaallowedoperations']
 permission_filter_objectclasses = ['ipaservice']
-search_attributes = ['krbprincipalname', 'managedby', 'ipakrbauthzdata',
-'ipaallowedtoperform']
+search_attributes = ['krbprincipalname', 'managedby', 'ipakrbauthzdata']
 default_attributes = ['krbprincipalname', 'usercertificate', 'managedby',
 'ipakrbauthzdata', 'memberof', 'ipaallowedtoperform']
 uuid_attribute = 'ipauniqueid'
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 908 adjust search so that it works for non-admin users

[Tomas Babej]

On 08/12/2015 12:59 PM, Petr Vobornik wrote:
 Non-admin user can now search for:
 - hosts
 - hostgroups
 - netgroups
 - servers
 - services
 
 (Fixes ACI issue where search returns nothing when user does't have
 read rights for an attribute in search_attributes.
 
 https://fedorahosted.org/freeipa/ticket/5167
 
 

ACK.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 908 adjust search so that it works for non-admin users

[Tomas Babej]

On 08/12/2015 04:13 PM, Tomas Babej wrote:
 
 
 On 08/12/2015 12:59 PM, Petr Vobornik wrote:
 Non-admin user can now search for:
 - hosts
 - hostgroups
 - netgroups
 - servers
 - services

 (Fixes ACI issue where search returns nothing when user does't have
 read rights for an attribute in search_attributes.

 https://fedorahosted.org/freeipa/ticket/5167


 
 ACK.
 

Pushed to master: 196ef09bd25d727865aee72a03d59f9930c65149cd
Pushed to ipa-4-2: e37821af8026958e08f7354df3f84dd42f93d60f

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code