295ac63 privilege: use context.principal only when it is defined

1 file Authored by abbra 8 months ago, Committed by antorres 8 months ago,
    privilege: use context.principal only when it is defined
    
    In server-like context we use LDAPI connection with auto-binding to LDAP
    object based on the UID of the process connecting to LDAPI UNIX domain
    socket. This means context.principal is not set and we cannot use it.
    
    In principal_has_privilege() we can take None principal object as a sign
    that currently bound LDAP DN has to be checked for the privilege. This
    allows to match any type of account to the privilege, with exception of
    the cn=Directory Manager which is never added to privileges explicitly.
    
    cn=Directory Manager will be allowed any privilege because it already
    can write to any LDAP entry.
    
    Fixes: https://pagure.io/freeipa/issue/9583
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Thomas Woerner <twoerner@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>