ipa/0001-Processing-of-server-roles-should-ignore-errors.Empt.patch

54 lines
2.0 KiB
Diff
Raw Normal View History

2018-03-21 08:45:19 +00:00
From e161bce61819fbc8fd1b2a0bdfb01ecf9947b733 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mon, 19 Mar 2018 21:48:04 +0200
2018-03-21 08:45:19 +00:00
Subject: [PATCH 1/2] Processing of server roles should ignore
errors.EmptyResult
When non-admin user issues a command that utilizes
api.Object.config.show_servroles_attributes(), some server roles might
return errors.EmptyResult, indicating that a role is not visible to this
identity.
Most of the callers to api.Object.config.show_servroles_attributes() do
not process errors.EmptyResult so it goes up to an API caller. In case
of Web UI it breaks retrieval of the initial configuration due to ipa
config-show failing completely rather than avoiding to show available
server roles.
Fixes: https://pagure.io/freeipa/issue/7452
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/plugins/config.py | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py
index 33ed38ba0..dd235a4e1 100644
--- a/ipaserver/plugins/config.py
+++ b/ipaserver/plugins/config.py
@@ -276,9 +276,20 @@ class config(LDAPObject):
def update_entry_with_role_config(self, role_name, entry_attrs):
backend = self.api.Backend.serverroles
- role_config = backend.config_retrieve(role_name)
+ try:
+ role_config = backend.config_retrieve(role_name)
+ except errors.EmptyResult:
+ # No role config means current user identity
+ # has no rights to see it, return with no action
+ return
+
for key, value in role_config.items():
- entry_attrs.update({key: value})
+ try:
+ entry_attrs.update({key: value})
+ except errors.EmptyResult:
+ # An update that doesn't change an entry is fine here
+ # Just ignore and move to the next key pair
+ pass
def show_servroles_attributes(self, entry_attrs, *roles, **options):
--
2.14.3