Univention Bugzilla – Bug 44203
pass ldap connection to udm hooks
Last modified: 2020-03-23 12:50:18 CET
When a UDM hook is called (creation for example here: univention/admin/modules.py:297) the existing UDM-LDAP connection is not passed to it. If it needs LDAP/UDM acces, it must then get those credentials itself - often involving Administator or root access. Change univention.admin.hook.simpleHook in a way, that the current UDM-LDAP connection is usable in classes inheriting from it. As univention.admin.hook.simpleHook currently has no __init__(), the API change can probably be done backwards compatible there. All existing hooks have to be checked first.
r79089: pass LDAP connection to UDM hooks, doesn't change simpleHook API This allows running UDM hooks without root privileges (no need to get {ldap,machine}.secret). Package: univention-directory-manager-modules Version: 12.0.17-4A~4.2.0.201705041749 Branch: ucs_4.2-0 Scope: errata4.2-0
Hmmm. Why is it a private class member?
I didn't dare to add a class attribute with a common name such as "lo" and "po", as I haven't researched all existing UDM hooks. I doesn't need to be private at all, I just want to prevent accidentally breaking someone else' derived class' code.
I'm not satisfied with this solution. Using _lo / _po as API is no good style which will cause more trouble in the future than it solves. Please change it to the following pattern: register_ldap_connection = getattr(propertyHook, 'hook_ldap_connection', None) if register_ldap_connection: register_ldap_connection(lo, po) So that each hook is as powerful and flexible as possible.
r79179: API change: added simpleHook.register_ldap_connection() to pass LDAP connection to UDM hook r79180: advisory update univention-directory-manager-modules 12.0.17-5A~4.2.0.201705081340 Created Bug #44552 to update the documentation of "Extended Attribute Hooks".
OK: the new method is working Nevertheless, this change wasn't really required because you could simply access module/object.lo and module/object.po which is passed to every hook. The new API just adds extra complexity.
I think it's better to revert this, as we don't need to maintain and document this unneeded code. As in the use of it also can be seen, that it adds unneeded extra complexity (attachment 8837 [details]). The ldap connection of the user is available at object.{lo,position}. We could document this instead in the developer documentation.
r79300: code change was reverted, comment added. r79302: advisory update Package: univention-directory-manager-modules Version: 12.0.17-6A~4.2.0.201705111649 Branch: ucs_4.2-0 Scope: errata4.2-0
OK: revert OK: YAML revert
Nothing to release.