[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Freeipa-devel] [PATCH] don't allow special groups to be removed



This patch won't allow the XML-RPC interface to remove the admins or editors groups nor the configured group that is the default group for new users.

I was originally going to do an ACI for this but thought that returning a useful error message was better.

rob
# HG changeset patch
# User Rob Crittenden <rcritten redhat com>
# Date 1196444948 18000
# Node ID 0ddcd0149699a853d8a6b03aff2abba3f5313fe5
# Parent  4ab464de3afe7f96d6b080fde920a2026a02bb1d
Don't allow the admins or editors groups to be removed.
Don't allow the default group for users to be removed.

diff -r 4ab464de3afe -r 0ddcd0149699 ipa-python/ipaerror.py
--- a/ipa-python/ipaerror.py	Fri Nov 30 12:04:16 2007 -0500
+++ b/ipa-python/ipaerror.py	Fri Nov 30 12:49:08 2007 -0500
@@ -162,3 +162,18 @@ CONNECTION_UNWILLING = gen_error_code(
         CONNECTION_CATEGORY,
         0x0004,
         "Account inactivated. Server is unwilling to perform.")
+
+#
+# Configuration errors
+#
+CONFIGURATION_CATEGORY = 0x0004
+
+CONFIG_REQUIRED_GROUPS = gen_error_code(
+        CONFIGURATION_CATEGORY,
+        0x0001,
+        "The admins and editors groups are required.")
+
+CONFIG_DEFAULT_GROUP = gen_error_code(
+        CONFIGURATION_CATEGORY,
+        0x0002,
+        "You cannot remove the default users group.")
diff -r 4ab464de3afe -r 0ddcd0149699 ipa-server/xmlrpc-server/funcs.py
--- a/ipa-server/xmlrpc-server/funcs.py	Fri Nov 30 12:04:16 2007 -0500
+++ b/ipa-server/xmlrpc-server/funcs.py	Fri Nov 30 12:49:08 2007 -0500
@@ -1201,6 +1201,16 @@ class IPAServer:
         if group is None:
             raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND)
 
+        # We have 2 special groups, don't allow them to be removed
+        if "admins" in group.get('cn') or "editors" in group.get('cn'):
+            raise ipaerror.gen_exception(ipaerror.CONFIG_REQUIRED_GROUPS)
+
+        # Don't allow the default user group to be removed
+        config=self.get_ipa_config(opts)
+        default_group = self.get_entry_by_cn(config.get('ipadefaultprimarygroup'), None, opts)
+        if group_dn == default_group.get('dn'):
+            raise ipaerror.gen_exception(ipaerror.CONFIG_DEFAULT_GROUP)
+
         conn = self.getConnection(opts)
         try:
             res = conn.deleteEntry(group_dn)

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]