From b55e33f4e4bd842b3ed0b8072129e80bc5baccd8 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Fabian=20Gr=C3=BCnbichler?= Date: Fri, 3 Jun 2022 13:50:47 +0200 Subject: [PATCH 1/1] permissions: properly merge propagation flag MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit when multiple roles are defined on a path that share a privilege, this randomly took the propagation flag for the priv from the last role encountered. since perl hashes are iterated randomly, this means the propagation flag was sometimes set correctly, and sometimes not. note that this propagation flag is only used for display/dumping purposes, and for intersection with token privs (see next commit). actual handling of propagation happens on the role level in PVE::AccessControl::roles(). modified test case (spuriously) fails without the fix. Signed-off-by: Fabian Grünbichler --- src/PVE/RPCEnvironment.pm | 2 +- src/test/test8.cfg | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/src/PVE/RPCEnvironment.pm b/src/PVE/RPCEnvironment.pm index ed5625e..b5da4f2 100644 --- a/src/PVE/RPCEnvironment.pm +++ b/src/PVE/RPCEnvironment.pm @@ -74,7 +74,7 @@ my $compile_acl_path = sub { foreach my $role (keys %$roles) { if (my $privset = $cfg->{roles}->{$role}) { foreach my $p (keys %$privset) { - $privs->{$p} = $roles->{$role}; + $privs->{$p} ||= $roles->{$role}; } } } diff --git a/src/test/test8.cfg b/src/test/test8.cfg index 2f85bfd..d5c7e86 100644 --- a/src/test/test8.cfg +++ b/src/test/test8.cfg @@ -16,6 +16,8 @@ role:customer:VM.Audit,VM.PowerMgmt: role:vm_admin:VM.Audit,VM.Allocate,Permissions.Modify,VM.Console: acl:1:/vms:@testgroup1:vm_admin: +acl:0:/vms/300:max@pve:customer: +acl:1:/vms/300:max@pve:vm_admin: acl:1:/vms/100/:alex@pve,max@pve:customer: acl:1:/storage/nfs1:@testgroup2:storage_manager: acl:1:/users:max@pve:Administrator: -- 2.39.2