commit 0bb2c9a469c57d2897a20167556aff3dd8c4108d
Author: Florian Best <best@univention.de>
Date:   Wed May 27 14:01:36 2020 +0200

    Bug #51364: filter inetOrgPerson objectclass in settings/usertemplate

diff --git management/univention-directory-manager-modules/modules/univention/admin/handlers/__init__.py management/univention-directory-manager-modules/modules/univention/admin/handlers/__init__.py
index 7190d24f3f..482174a332 100644
--- management/univention-directory-manager-modules/modules/univention/admin/handlers/__init__.py
+++ management/univention-directory-manager-modules/modules/univention/admin/handlers/__init__.py
@@ -1239,35 +1239,7 @@ class simpleLdap(object):
 
 		al = self._ldap_addlist()
 		al.extend(self._ldap_modlist())
-		m = univention.admin.modules.get(self.module)
-
-		# evaluate extended attributes
-		ocs = set()
-		for prop in getattr(m, 'extended_udm_attributes', []):
-			ud.debug(ud.ADMIN, ud.INFO, 'simpleLdap._create: info[%s]:%r = %r' % (prop.name, self.has_property(prop.name), self.info.get(prop.name)))
-			if prop.syntax == 'boolean' and self.info.get(prop.name) == '0':
-				continue
-			if self.has_property(prop.name) and self.info.get(prop.name):
-				ocs.add(prop.objClass)
-
-		module_options = univention.admin.modules.options(self.module)
-		# add object classes of (especially extended) options
-		for option in ['default'] + self.options:
-			try:
-				opt = module_options[option]
-			except KeyError:
-				ud.debug(ud.ADMIN, ud.INFO, '%r does not specify option %r' % (m.module, option))
-				continue
-			ocs |= set(opt.objectClasses)
-
-		# remove duplicated object classes
-		for i in al:
-			key, val = i[0], i[-1]  # might be a triple
-			if val and key.lower() == 'objectclass':
-				ocs -= set([val] if isinstance(val, basestring) else val)
-		if ocs:
-			al.append(('objectClass', list(ocs)))
-
+		al = self._ldap_object_classes_add(al)
 		al = self.call_udm_property_hook('hook_ldap_addlist', self, al)
 
 		# ensure univentionObject is set
@@ -1302,6 +1274,37 @@ class simpleLdap(object):
 		self.save()
 		return self.dn
 
+	def _ldap_object_classes_add(self, al):
+		m = univention.admin.modules.get(self.module)
+		# evaluate extended attributes
+		ocs = set()
+		for prop in getattr(m, 'extended_udm_attributes', []):
+			ud.debug(ud.ADMIN, ud.INFO, 'simpleLdap._create: info[%s]:%r = %r' % (prop.name, self.has_property(prop.name), self.info.get(prop.name)))
+			if prop.syntax == 'boolean' and self.info.get(prop.name) == '0':
+				continue
+			if self.has_property(prop.name) and self.info.get(prop.name):
+				ocs.add(prop.objClass)
+
+		module_options = univention.admin.modules.options(self.module)
+		# add object classes of (especially extended) options
+		for option in ['default'] + self.options:
+			try:
+				opt = module_options[option]
+			except KeyError:
+				ud.debug(ud.ADMIN, ud.INFO, '%r does not specify option %r' % (m.module, option))
+				continue
+			ocs |= set(opt.objectClasses)
+
+		# remove duplicated object classes
+		for i in al:
+			key, val = i[0], i[-1]  # might be a triple
+			if val and key.lower() == 'objectclass':
+				ocs -= set([val] if isinstance(val, basestring) else val)
+		if ocs:
+			al.append(('objectClass', list(ocs)))
+
+		return al
+
 	def _modify(self, modify_childs=1, ignore_license=0, response=None, serverctrls=None):
 		"""Modify the object. Should only be called by :func:`univention.admin.handlers.simpleLdap.modify`."""
 		self.exceptions = []
diff --git management/univention-directory-manager-modules/modules/univention/admin/handlers/settings/usertemplate.py management/univention-directory-manager-modules/modules/univention/admin/handlers/settings/usertemplate.py
index 69a22bcbfe..71eaa2033a 100644
--- management/univention-directory-manager-modules/modules/univention/admin/handlers/settings/usertemplate.py
+++ management/univention-directory-manager-modules/modules/univention/admin/handlers/settings/usertemplate.py
@@ -30,6 +30,8 @@
 # /usr/share/common-licenses/AGPL-3; if not, see
 # <https://www.gnu.org/licenses/>.
 
+import six
+
 from univention.admin.layout import Tab, Group
 import univention.admin.filter
 import univention.admin.handlers
@@ -348,6 +350,8 @@ mapping.register('mailPrimaryAddress', 'mailPrimaryAddress', None, univention.ad
 mapping.register('mailAlternativeAddress', 'mailAlternativeAddress')
 mapping.register('_options', 'userOptionsPreset')
 
+BLACKLISTED_OBJECT_CLASSES = {'inetOrgPerson'}
+
 
 class object(univention.admin.handlers.simpleLdap):
 	module = module
@@ -357,6 +361,19 @@ class object(univention.admin.handlers.simpleLdap):
 		univention.admin.syntax.optionsUsersUser.update_choices()  # woraround: somehow init() didn't do it
 		self.options.extend(self['_options'])
 
+	def _ldap_object_classes(self, ml):
+		ml = super(object, self)._ldap_object_classes(ml)
+		return self.filter_object_classes(ml)
+
+	def _ldap_object_classes_add(self, al):
+		al = super(object, self)._ldap_object_classes_add(al)
+		return self.filter_object_classes(al)
+
+	def filter_object_classes(self, ml):
+		ml = [x for x in ml if x[0] != 'objectClass' or not isinstance(x[-1], six.string_types) or x[-1] not in BLACKLISTED_OBJECT_CLASSES]
+		ml = [x if x[0] != 'objectClass' and not isinstance(x[-1], (list, tuple)) else list(x[:-1]) + [list(set(x[-1]) - BLACKLISTED_OBJECT_CLASSES)] for x in ml]
+		return ml
+
 	def _ldap_pre_modify(self):
 		super(object, self)._ldap_pre_modify()
 		self['_options'].extend(self.options)