grantfu: 2-pass processing

First revokes, then grants.

This supports one-object-in-several-sections situation.

Although that is bad style and better avoided, current
behavour results in unobvious breakage.

1 files changed, 19 insertions, 10 deletions

diff --git a/scripts/grantfu.py b/scripts/grantfu.py
index 5d89d559..74739d80 100755
--- a/scripts/grantfu.py
+++ b/scripts/grantfu.py
@@ -85,16 +85,10 @@ class PConf(SafeConfigParser):
         return res
 
 class GrantFu:
-    def __init__(self, cf_file, revoke):
+    def __init__(self, cf, revoke):
+        self.cf = cf
         self.revoke = revoke
 
-        # load config
-        self.cf = PConf()
-        self.cf.read(cf_file)
-        if not self.cf.has_section("GrantFu"):
-            print "Incorrect config file, GrantFu sction missing"
-            sys.exit(1)
-
         # avoid putting grantfu vars into defaults, thus into every section
         self.group_list = []
         self.user_list = []
@@ -317,11 +311,26 @@ def main():
     if len(args) != 1:
         usage(1)
 
+    # load config
+    cf = PConf()
+    cf.read(args[0])
+    if not cf.has_section("GrantFu"):
+        print "Incorrect config file, GrantFu sction missing"
+        sys.exit(1)
+
     if tx:
         print "begin;\n"
 
-    g = GrantFu(args[0], revoke)
-    g.process()
+    # revokes and default grants
+    if revoke & (R_NEW | R_DEFS):
+        g = GrantFu(cf, revoke | R_ONLY)
+        g.process()
+        revoke = revoke & R_ONLY
+
+    # grants
+    if revoke & R_ONLY == 0:
+        g = GrantFu(cf, revoke & G_DEFS)
+        g.process()
 
     if tx:
         print "\ncommit;\n"