X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=PVE%2FAccessControl.pm;h=5e1185f9909efdd7d796c5f8f012c3d8abc0552b;hb=f3c87f9b4e1a162b3d087e14fbc84fe9788c9a9e;hp=71ccf6ba7b7667c0a8d693abbd4a996d1913c04c;hpb=e915e9e4545bc3251a100c2ba60c0bce29316db8;p=pve-access-control.git

diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index 71ccf6b..5e1185f 100644
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -1079,6 +1079,11 @@ sub parse_user_config {
 			next;
 		    }
 
+		    if (!$cfg->{roles}->{$role}) {
+			warn "user config - ignore invalid acl role '$role'\n";
+			next;
+		    }
+
 		    foreach my $ug (split_list($uglist)) {
 			my ($group) = $ug =~ m/^@(\S+)$/;
 
@@ -1365,13 +1370,13 @@ sub roles {
 	my $token_info = $cfg->{users}->{$username}->{tokens}->{$token};
 	return () if !$token_info;
 
-	my @user_roles = roles($cfg, $username, $path);
+	my $user_roles = roles($cfg, $username, $path);
 
 	# return full user privileges
-	return @user_roles if !$token_info->{privsep};
+	return $user_roles if !$token_info->{privsep};
     }
 
-    my $perm = {};
+    my $roles = {};
 
     foreach my $p (sort keys %{$cfg->{acl}}) {
 	my $final = ($path eq $p);
@@ -1389,11 +1394,11 @@ sub roles {
 		if ($final || $propagate) {
 		    #print "APPLY ROLE $p $user $role\n";
 		    $new = {} if !$new;
-		    $new->{$role} = 1;
+		    $new->{$role} = $propagate;
 		}
 	    }
 	    if ($new) {
-		$perm = $new; # overwrite previous settings
+		$roles = $new; # overwrite previous settings
 		next;
 	    }
 	}
@@ -1405,11 +1410,11 @@ sub roles {
 		if ($final || $propagate) {
 		    #print "APPLY ROLE $p $user $role\n";
 		    $new = {} if !$new;
-		    $new->{$role} = 1;
+		    $new->{$role} = $propagate;
 		}
 	    }
 	    if ($new) {
-		$perm = $new; # overwrite previous settings
+		$roles = $new; # overwrite previous settings
 		next; # user privs always override group privs
 	    }
 	}
@@ -1423,27 +1428,25 @@ sub roles {
 		    if ($final || $propagate) {
 			#print "APPLY ROLE $p \@$g $role\n";
 			$new = {} if !$new;
-			$new->{$role} = 1;
+			$new->{$role} = $propagate;
 		    }
 		}
 	    }
 	}
 	if ($new) {
-	    $perm = $new; # overwrite previous settings
+	    $roles = $new; # overwrite previous settings
 	    next;
 	}
     }
 
-    return ('NoAccess') if defined ($perm->{NoAccess});
-    #return () if defined ($perm->{NoAccess});
-
-    #print "permission $user $path = " . Dumper ($perm);
+    return { 'NoAccess' => $roles->{NoAccess} } if defined ($roles->{NoAccess});
+    #return () if defined ($roles->{NoAccess});
 
-    my @ra = keys %$perm;
+    #print "permission $user $path = " . Dumper ($roles);
 
     #print "roles $user $path = " . join (',', @ra) . "\n";
 
-    return @ra;
+    return $roles;
 }
 
 sub remove_vm_access {