From 782d74463226039647ec0b5caaa1a967d86cc930 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 19 Mar 2018 21:48:04 +0200 Subject: [PATCH] Processing of server roles should ignore errors.EmptyResult When non-admin user issues a command that utilizes api.Object.config.show_servroles_attributes(), some server roles might return errors.EmptyResult, indicating that a role is not visible to this identity. Most of the callers to api.Object.config.show_servroles_attributes() do not process errors.EmptyResult so it goes up to an API caller. In case of Web UI it breaks retrieval of the initial configuration due to ipa config-show failing completely rather than avoiding to show available server roles. Fixes: https://pagure.io/freeipa/issue/7452 Signed-off-by: Alexander Bokovoy --- ipaserver/plugins/config.py | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py index 33ed38ba0..dd235a4e1 100644 --- a/ipaserver/plugins/config.py +++ b/ipaserver/plugins/config.py @@ -276,9 +276,20 @@ class config(LDAPObject): def update_entry_with_role_config(self, role_name, entry_attrs): backend = self.api.Backend.serverroles - role_config = backend.config_retrieve(role_name) + try: + role_config = backend.config_retrieve(role_name) + except errors.EmptyResult: + # No role config means current user identity + # has no rights to see it, return with no action + return + for key, value in role_config.items(): - entry_attrs.update({key: value}) + try: + entry_attrs.update({key: value}) + except errors.EmptyResult: + # An update that doesn't change an entry is fine here + # Just ignore and move to the next key pair + pass def show_servroles_attributes(self, entry_attrs, *roles, **options): -- 2.14.3