From: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Date: Wed, 7 Jun 2023 09:33:39 +0000 (+0200)
Subject: check_sdn_bridge: correctly handle noerr
X-Git-Url: https://git.proxmox.com/?a=commitdiff_plain;h=3c97bee53cf0f8d2700abe649d14cc6d10ce6d03;hp=a5616d5c6e903109c13b9cae2889c4cf3743ec04;p=pve-access-control.git

check_sdn_bridge: correctly handle noerr

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---

diff --git a/src/PVE/RPCEnvironment.pm b/src/PVE/RPCEnvironment.pm
index ae2702c..745296a 100644
--- a/src/PVE/RPCEnvironment.pm
+++ b/src/PVE/RPCEnvironment.pm
@@ -324,6 +324,7 @@ sub check_full {
     }
 }
 
+# check for any fashion of access to vnet/bridge
 sub check_sdn_bridge {
     my ($self, $username, $zone, $bridge, $privs, $noerr) = @_;
 
@@ -331,14 +332,19 @@ sub check_sdn_bridge {
     my $cfg = $self->{user_cfg};
     my $bridge_acl = PVE::AccessControl::find_acl_tree_node($cfg->{acl_root}, $path);
     if ($bridge_acl) {
+	# check access to VLANs
 	my $vlans = $bridge_acl->{children};
 	for my $vlan (keys %$vlans) {
 	    my $vlanpath = "$path/$vlan";
-	    return 1 if $self->check_any($username, $vlanpath, $privs, $noerr);
+	    return 1 if $self->check_any($username, $vlanpath, $privs, 1);
 	}
 	# check access to bridge itself
-	return 1 if $self->check_any($username, $path, $privs, $noerr);
+	return 1 if $self->check_any($username, $path, $privs, 1);
     }
+
+    # repeat check, but fatal
+    $self->check_any($username, $path, $privs, 0) if !$noerr;
+
     return;
 }