2 files changed, 26 insertions, 0 deletions

diff --git a/perl/Wallet/Object/Base.pm b/perl/Wallet/Object/Base.pm
index 8d01ae8..10864b7 100644
--- a/perl/Wallet/Object/Base.pm
+++ b/perl/Wallet/Object/Base.pm
@@ -198,6 +198,10 @@ sub _set_internal {
     $time ||= time;
     my $name = $self->{name};
     my $type = $self->{type};
+    if ($self->flag_check ('locked')) {
+        $self->error ("cannot modify ${type}:${name}: object is locked");
+        return;
+    }
     eval {
         my $sql = "select ob_$attr from objects where ob_type = ? and
             ob_name = ?";
@@ -425,6 +429,10 @@ sub get { die "Do not instantiate Wallet::Object::Base directly\n"; }
 sub store {
     my ($self, $data, $user, $host, $time) = @_;
     my $id = $self->{type} . ':' . $self->{name};
+    if ($self->flag_check ('locked')) {
+        $self->error ("cannot store $id: object is locked");
+        return;
+    }
     $self->error ("cannot store $id: object type is immutable");
     return;
 }
@@ -508,6 +516,10 @@ sub destroy {
     $time ||= time;
     my $name = $self->{name};
     my $type = $self->{type};
+    if ($self->flag_check ('locked')) {
+        $self->error ("cannot destroy ${type}:${name}: object is locked");
+        return;
+    }
     eval {
         my $sql = 'delete from flags where fl_type = ? and fl_name = ?';
         $self->{dbh}->do ($sql, undef, $type, $name);
@@ -596,6 +608,10 @@ The following methods may be called on instantiated wallet objects.
 Normally, the only methods that a subclass will need to override are get(),
 store(), show(), and destroy().
 
+If the locked flag is set on an object, no actions may be performed on that
+object except for the flag methods and show().  All other actions will be
+rejected with an error saying the object is locked.
+
 =over 4
 
 =item acl(TYPE [, ACL, PRINCIPAL, HOSTNAME [, DATETIME]])
diff --git a/perl/Wallet/Object/Keytab.pm b/perl/Wallet/Object/Keytab.pm
index 38e0938..e4a41cd 100644
--- a/perl/Wallet/Object/Keytab.pm
+++ b/perl/Wallet/Object/Keytab.pm
@@ -187,6 +187,11 @@ sub create {
 # Override destroy to delete the principal out of Kerberos as well.
 sub destroy {
     my ($self, $user, $host, $time) = @_;
+    my $id = $self->{type} . ':' . $self->{name};
+    if ($self->flag_check ('locked')) {
+        $self->error ("cannot destroy $id: object is locked");
+        return;
+    }
     return undef if not $self->_kadmin_delprinc ($self->{name});
     return $self->SUPER::destroy ($user, $host, $time);
 }
@@ -196,6 +201,11 @@ sub destroy {
 sub get {
     my ($self, $user, $host, $time) = @_;
     $time ||= time;
+    my $id = $self->{type} . ':' . $self->{name};
+    if ($self->flag_check ('locked')) {
+        $self->error ("cannot get $id: object is locked");
+        return;
+    }
     unless (defined ($Wallet::Config::KEYTAB_TMP)) {
         $self->error ('KEYTAB_TMP configuration variable not set');
         return undef;