Patch to fix GUI login for non-admin users

Resolves: #1557609
2018-03-19 17:28:51 -04:00 · 2018-03-19 17:28:51 -04:00 · 3d031dc162
commit 3d031dc162
parent b80b146ad3
2 changed files with 57 additions and 1 deletions
--- a/0001-Processing-of-server-roles-should-ignore-errors.Empt.patch
+++ b/0001-Processing-of-server-roles-should-ignore-errors.Empt.patch
@ -0,0 +1,52 @@
+From 782d74463226039647ec0b5caaa1a967d86cc930 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Mon, 19 Mar 2018 21:48:04 +0200
+Subject: [PATCH] Processing of server roles should ignore errors.EmptyResult
+
+When non-admin user issues a command that utilizes
+api.Object.config.show_servroles_attributes(), some server roles might
+return errors.EmptyResult, indicating that a role is not visible to this
+identity.
+
+Most of the callers to api.Object.config.show_servroles_attributes() do
+not process errors.EmptyResult so it goes up to an API caller. In case
+of Web UI it breaks retrieval of the initial configuration due to ipa
+config-show failing completely rather than avoiding to show available
+server roles.
+
+Fixes: https://pagure.io/freeipa/issue/7452
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ ipaserver/plugins/config.py | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py
+index 33ed38ba0..dd235a4e1 100644
+--- a/ipaserver/plugins/config.py
+++ b/ipaserver/plugins/config.py
+@@ -276,9 +276,20 @@ class config(LDAPObject):
+     def update_entry_with_role_config(self, role_name, entry_attrs):
+         backend = self.api.Backend.serverroles
+ 
+-        role_config = backend.config_retrieve(role_name)
+        try:
+            role_config = backend.config_retrieve(role_name)
+        except errors.EmptyResult:
+            # No role config means current user identity
+            # has no rights to see it, return with no action
+            return
+
+         for key, value in role_config.items():
+-            entry_attrs.update({key: value})
+            try:
+                entry_attrs.update({key: value})
+            except errors.EmptyResult:
+                # An update that doesn't change an entry is fine here
+                # Just ignore and move to the next key pair
+                pass
+ 
+ 
+     def show_servroles_attributes(self, entry_attrs, *roles, **options):
+-- 
+2.14.3
+
--- a/freeipa.spec
+++ b/freeipa.spec
@ -100,7 +100,7 @@

 Name:           freeipa
 Version:        %{VERSION}
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        The Identity, Policy and Audit system

 Group:          System Environment/Base
@ -108,6 +108,7 @@ License:        GPLv3+
 URL:            https://www.freeipa.org/
 Source0:        https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz
 Source1:        https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz.asc
+Patch0001:      0001-Processing-of-server-roles-should-ignore-errors.Empt.patch

 # For the timestamp trick in patch application
 BuildRequires:  diffstat
@ -1716,6 +1717,9 @@ fi
 %endif # with_ipatests

 %changelog
+* Mon Mar 19 2018 Rob Crittenden <rcritten@redhat.com> - 4.6.90.pre1-2
+- Patch to fix GUI login for non-admin users (#1557609)
+
 * Fri Mar 16 2018 Rob Crittenden <rcritten@redhat.com> - 4.6.90.pre1-1
 - Update to upstream 4.6.90.pre1