#2909 Unable to create/modify read-only permission
Closed: Fixed None Opened 9 years ago by edewata.

IPA has some built-in read-only permissions such as Read DNS Entries and Read Entitilements. With CLI it's possible to create/modify similar read-only permissions, for example:

% ipa permission-add test --permissions=read --attrs=cn
-----------------------
Added permission "test"
-----------------------
  Permission name: test
  Permissions: read
  Attributes: cn

% ipa permission-mod test --permissions=read --attrs=cn,sn
--------------------------
Modified permission "test"
--------------------------
  Permission name: test
  Permissions: read
  Attributes: cn, sn

However, with Web UI it's not possible since the adder dialog and the details page do not provide a checkbox for read permission and the Permissions field is required field so the user would have to select a different permission (write, add, or delete).

One possible solution is to show a checkbox for read permission.

Permissions: [x] read
             [ ] write
             [ ] add
             [ ] delete

The read checkbox will always be selected and the user cannot unselect it (read-only checkbox). The Permissions field doesn't need to be required anymore because it will always have a value.


Most data is already readable so this would be redundant. What is missing is the ability to deny read access. This is on purpose as deny acis almost never do what you want or expect them to do and generally cause grief.

The problem is that you can't update read-only permissions without specifying additional rights. Validation won't allow it, rights are required.

Problem with Endi's proposal is that a lot of permissions doesn't contain 'read' right so if the checkbox would be always selected it would make the widget 'dirty'.

Another way may be: add 'read' read-only checkbox. So on update UI will set/unset the read checkbox accordingly to input data. Read-only state would prevent user from modifying the read state. Required validation would remain.

This is fixed as part of much larger changes, do we still want to clone?

We don't. This is fixed as part of #3358. Moving to right release and closing.

Metadata Update from @edewata:
- Issue assigned to pvoborni
- Issue set to the milestone: FreeIPA 4.0 - 2014/06

5 years ago

Login to comment on this ticket.

Metadata