Univention Bugzilla – Bug 42513
import scripts change obj.info directly
Last modified: 2016-11-10 16:00:46 CET
The import scripts modifies obj.info directly: ucs-school-import/modules/ucsschool/importer/models/import_user.py 751 » » udm_obj.info.update(self.udm_properties) This is not allowed as this bypasses many consistency checks and syntax class validation. This might lead to broken objects (and maybe security issues). Also errors for not existing properties aren't recognized. Inconsistencies might be: * property may not change * property is required but not set * property is not allowed to change on AD-objects * it's not detected that a default value is overwritten, leading to followup-errors if the object is further used * singlevalue properties might contain multiple entries * property value has an invalid syntax * property value with wrong encoding might be written into LDAP
Created attachment 8038 [details] patch Also multiple obj.modify() calls might cause side effects because the internal state is not updated after modifying. Attached patch addresses these (untested).
This should be tested with * 205_import-users_attribute_schemes * 206_import-users_multivalue_attributes * 210_import-users_extended_attribute
73042: the ImportUser code now uses the correct ucsschool.lib interface for setting UDM properties. 73043: check consistency also when creating users from within hooks 73064: use 'street' instead of 'organisation' ('o') for pyhook tests 73066: make exception message more informative 73070: add test to check if UDM syntax checks are applied to ImportUser.udm_properties All import-related tests ran successfully in my test env: - 90_ucsschool/34_import-users-legacy - 90_ucsschool/34_import-users_via_cli - 90_ucsschool/2??_import-users_* Now 90_ucsschool/202_import-users_username_recordUID_UDM_property revealed an error that had before been masked: UDMValueError: UDM properties could not be set. Bad value: 'Organisation: The value must not be longer than 64 characters.' PyHook-tests were being done with 'organisation', which is string64. r73064 changes it to use 'street' (string). In r73070 a test was added, that fails with the code before r73042 to check if UDM syntax checks are applied to ImportUser.udm_properties in create() and modify().
r73076: - rename: _check_consistency() → _prevent_mapped_attributes_in_udm_properties() - move to common code path: _alter_udm_obj()
OK: test with a hook script OK: syntax checks on create() OK: syntax checks on modify() OK: YAML
r73084: improved test to check that attributes mapped by the ucsschool.lib are prevented from being read from udm_properties
UCS@school 4.1 R2 v7 has been released. http://docs.software-univention.de/changelog-ucsschool-4.1R2v7-de.html If this error occurs again, please clone this bug.