idviews: Check for the Default Trust View only if applying the view

Currently, the code wrongly validates the idview-unapply command. Move
check for the forbidden application of the Default Trust View into
the correct logical branch.

https://fedorahosted.org/freeipa/ticket/4969

Reviewed-By: Martin Basti <[email protected]>

1 files changed, 8 insertions, 6 deletions

diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py
index 4a1416224..48f646b81 100644
--- a/ipalib/plugins/idviews.py
+++ b/ipalib/plugins/idviews.py
@@ -256,17 +256,19 @@ class baseidview_apply(LDAPQuery):
         if not options.get('clear_view', False):
             view_dn = self.api.Object['idview'].get_dn_if_exists(view)
             assert isinstance(view_dn, DN)
+
+            # Check that we're not applying the Default Trust View
+            if view.lower() == DEFAULT_TRUST_VIEW_NAME:
+                raise errors.ValidationError(
+                    name=_('ID View'),
+                    error=_('Default Trust View cannot be applied on hosts')
+                )
+
         else:
             # In case we are removing assigned view, we modify the host setting
             # the ipaAssignedIDView to None
             view_dn = None
 
-        if view.lower() == DEFAULT_TRUST_VIEW_NAME:
-            raise errors.ValidationError(
-                name=_('ID View'),
-                error=_('Default Trust View cannot be applied on hosts')
-            )
-
         completed = 0
         succeeded = {'host': []}
         failed = {