Correct acl usage of ldap-useradmin #1150
Conversation
|
Thanks for this patch! However, are you also adding or removing new ACL checks? I see some extra checks like "makehome" and "cothers" are referred to in edit_user.cgi |
|
True, ldap-useradmin is very inconsistent in this area. Yes, the patch implements additional ACL checks, but it does not remove any existing. In practice, the patch is written to be extendable in future. |
6ec1f01 to
75f0ca4
Compare
The acl system of module ldap-useradmin include many acl roles not editable. They are in defaultacl and saved in acl_security_save, but never created in the acl form to be changed.
This patch deletes all not editable acl rights and uses them from the underlying useradmin module., instead of setting some of them to always allowed, as for instance udelete.
This is luckily possible due to exact the same names of acl roles between the two modules. Extending the acl roles for ldap-useradmin is easily possible, as only acl values for not present ldap-useradmin acl settings are copied from useradmin.
The list of secondary groups is limited to only allowed group from the access rights instead of showing all.
Edit masks for user and group consult access rights for options instead of display options always, for instance "change user in other modules".
They also consult module config to not display options not possible to execute, for instance create samba group when not group class is specified.
Access rights are also checked during save of user to reject group membership for not allowed groups. This is to prevent backdoor with direct HTTP request.