On 18.7.2014 00:03, Endi Sukma Dewata wrote:
On 7/10/2014 7:23 AM, Petr Vobornik wrote:
Reproduction:
* add 'extensibleObject' object class to target object
https://fedorahosted.org/freeipa/ticket/4380
This is the original if-condition:
(!rights
&& !(that.flags.indexOf('w_if_no_aci') > -1
&& write_oc))
|| (rights && rights.indexOf('w') < 0)
Here if 'rights' has a value but there's no 'w' in it, the expression
will evaluate to true.
This is the new code:
!can_write
&& !rights
&& !(that.flags.indexOf('w_if_no_aci') > -1 && write_oc)
Here if 'rights' has any value the expression will evaluate to false. Is
this correct?
You're right, there is an error. Attaching new version. The code is
rewritten to be more comprehensible - use cases are in separate variables.
--
Petr Vobornik
From e6c51dadeb29effccf4309ab3c66aa19e559ef8b Mon Sep 17 00:00:00 2001
From: Petr Vobornik
Date: Thu, 19 Jun 2014 17:09:38 +0200
Subject: [PATCH] webui: support wildcard attribute level rights
Reproduction:
* add 'extensibleObject' object class to target object
https://fedorahosted.org/freeipa/ticket/4380
---
install/ui/src/freeipa/field.js | 24 +++-
1 file changed, 15 insertions(+), 9 deletions(-)
diff --git a/install/ui/src/freeipa/field.js b/install/ui/src/freeipa/field.js
index c2e96b392bdba057828c3d5d465e7e17a52ee535..5905bbab601565d401e847de454ef86b0cd3ab97 100644
--- a/install/ui/src/freeipa/field.js
+++ b/install/ui/src/freeipa/field.js
@@ -450,6 +450,12 @@ field.field = IPA.field = function(spec) {
var writable = true;
+function has_write(record, param) {
+var rights = record.attributelevelrights[param];
+var has = !!rights && rights.indexOf('w') > -1;
+return has;
+}
+
if (that.metadata) {
if (that.metadata.primary_key) {
writable = false;
@@ -460,21 +466,21 @@ field.field = IPA.field = function(spec) {
}
}
-if (record && record.attributelevelrights) {
+if (record && record.attributelevelrights && writable) {
var rights = record.attributelevelrights[that.acl_param];
-var oc_rights= record.attributelevelrights['objectclass'];
-var write_oc = oc_rights && oc_rights.indexOf('w') > -1;
+var write_attr = has_write(record, that.acl_param);
+var write_all = has_write(record, '*');
-// Some objects in LDAP may not have set proper object class and
+// Some objects in LDAP may not have proper object class set and
// therefore server doesn't send proper attribute rights. Flag
// 'w_if_no_aci' should be used when we want to ensure that UI
// shows edit interface in such cases. Usable only when user can
// modify object classes.
-// For all others, lack of rights means no write.
-if ((!rights && !(that.flags.indexOf('w_if_no_aci') > -1 && write_oc)) ||
- (rights && rights.indexOf('w') < 0)) {
-writable = false;
-}
+var write_oc = has_write(record, 'objectclass');
+var may_add_oc = !rights && write_oc && that.flags.indexOf('w_if_no_aci') > -1;
+
+// If no rights, change writable to False:
+writable = write_attr || write_all || may_add_oc;
}
that.set_writable(writable);
--
1.9.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
