From 3d031dc162d2279a6147bc45f4fda131564cfedf Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 19 Mar 2018 17:28:51 -0400 Subject: [PATCH] Patch to fix GUI login for non-admin users Resolves: #1557609 --- ...rver-roles-should-ignore-errors.Empt.patch | 52 +++++++++++++++++++ freeipa.spec | 6 ++- 2 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 0001-Processing-of-server-roles-should-ignore-errors.Empt.patch diff --git a/0001-Processing-of-server-roles-should-ignore-errors.Empt.patch b/0001-Processing-of-server-roles-should-ignore-errors.Empt.patch new file mode 100644 index 0000000..3bd5e6f --- /dev/null +++ b/0001-Processing-of-server-roles-should-ignore-errors.Empt.patch @@ -0,0 +1,52 @@ +From 782d74463226039647ec0b5caaa1a967d86cc930 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Mon, 19 Mar 2018 21:48:04 +0200 +Subject: [PATCH] Processing of server roles should ignore errors.EmptyResult + +When non-admin user issues a command that utilizes +api.Object.config.show_servroles_attributes(), some server roles might +return errors.EmptyResult, indicating that a role is not visible to this +identity. + +Most of the callers to api.Object.config.show_servroles_attributes() do +not process errors.EmptyResult so it goes up to an API caller. In case +of Web UI it breaks retrieval of the initial configuration due to ipa +config-show failing completely rather than avoiding to show available +server roles. + +Fixes: https://pagure.io/freeipa/issue/7452 +Signed-off-by: Alexander Bokovoy +--- + ipaserver/plugins/config.py | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py +index 33ed38ba0..dd235a4e1 100644 +--- a/ipaserver/plugins/config.py ++++ b/ipaserver/plugins/config.py +@@ -276,9 +276,20 @@ class config(LDAPObject): + def update_entry_with_role_config(self, role_name, entry_attrs): + backend = self.api.Backend.serverroles + +- role_config = backend.config_retrieve(role_name) ++ try: ++ role_config = backend.config_retrieve(role_name) ++ except errors.EmptyResult: ++ # No role config means current user identity ++ # has no rights to see it, return with no action ++ return ++ + for key, value in role_config.items(): +- entry_attrs.update({key: value}) ++ try: ++ entry_attrs.update({key: value}) ++ except errors.EmptyResult: ++ # An update that doesn't change an entry is fine here ++ # Just ignore and move to the next key pair ++ pass + + + def show_servroles_attributes(self, entry_attrs, *roles, **options): +-- +2.14.3 + diff --git a/freeipa.spec b/freeipa.spec index 5b69c89..9a928b0 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -100,7 +100,7 @@ Name: freeipa Version: %{VERSION} -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -108,6 +108,7 @@ License: GPLv3+ URL: https://www.freeipa.org/ Source0: https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz Source1: https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz.asc +Patch0001: 0001-Processing-of-server-roles-should-ignore-errors.Empt.patch # For the timestamp trick in patch application BuildRequires: diffstat @@ -1716,6 +1717,9 @@ fi %endif # with_ipatests %changelog +* Mon Mar 19 2018 Rob Crittenden - 4.6.90.pre1-2 +- Patch to fix GUI login for non-admin users (#1557609) + * Fri Mar 16 2018 Rob Crittenden - 4.6.90.pre1-1 - Update to upstream 4.6.90.pre1