Univention Bugzilla – Bug 35624
search_base is wrongly initialized: Tests against OU-DN fail
Last modified: 2014-08-27 17:01:45 CEST
There is a possibly serious bug in "@LDAP_Connection"-decorated functions that cannot be solved on a lower level: The decorator initializes a variable search_base with all available schools. If the list of available schools is 1 (which is the case for users with ou= in their user DN (teachers, etc.)) everything is fine: They can only view, say, rooms for that school and test against that school. But "Administrator" does not have a ou= in her user DN: The list of schools is complete. In this case, tests like seach_base.isTeacher() test against the OU of *the first* school in this list. Now, if Administrator wants to assign teachers to a class of another school (not the first one), the code fails: memberDNs = [ usr for usr in grp[ 'users' ] if search_base.isTeacher(usr) ] will always return an empty list for that group as no member's DN is "below" the first school's DN. Fix is to create a new search_base every time a test like this is done. school_name = SchoolSearchBase.getOU(grp.dn) search_base = SchoolSearchBase([school_name]) This has to be done for ucs-school-umc-groups and potentially all other modules (has to be checked manually). Scope of this bug is ucs-school-umc-groups. Feel free to clone this bug again and again. Note that the ucsschool.lib does not suffer from this bug. But it has not yet received wide adoption.
This bug may not be that serious in general because of the following code in @LDAP_Connection(): # THIS IS BUGGY kwargs['search_base'] = _search_base if len(args) > 1 and isinstance(args[1], Message): # Some strange "convention over configuration" sets the search_base correctly school = isinstance( args[1].options, dict ) and args[1].options.get('school') or None if school: kwargs[ 'search_base' ] = SchoolSearchBase( _search_base.availableSchools, school ) Nevertheless, this 'school' parameter may not always be set (as it was not in the ucs-school-umc-groups case), so we need to check this very error prone search_base.
ucs-school-umc-groups 2.0.5-3
*** Bug 34859 has been marked as a duplicate of this bug. ***
Code-Review: OK Fix: OK I did not find further occurrences of that bug. Changelog: OK
UCS@school 3.2 R2 v2 has been released: http://docs.univention.de/release-notes-ucsschool-3.2R2v2-de.html If this error occurs again, please use "Clone This Bug".