if ($cfg->{users}->{$user}) { # user exists
$cfg->{users}->{$user}->{groups}->{$group} = 1;
- $cfg->{groups}->{$group}->{users}->{$user} = 1;
} else {
warn "user config - ignore invalid group member '$user'\n";
}
+ $cfg->{groups}->{$group}->{users}->{$user} = 1;
}
} elsif ($et eq 'role') {
next;
}
+ if (!$cfg->{roles}->{$role}) {
+ warn "user config - ignore invalid acl role '$role'\n";
+ next;
+ }
+
foreach my $ug (split_list($uglist)) {
my ($group) = $ug =~ m/^@(\S+)$/;
if ($group && verify_groupname($group, 1)) {
- if ($cfg->{groups}->{$group}) { # group exists
- $cfg->{acl}->{$path}->{groups}->{$group}->{$role} = $propagate;
- } else {
+ if (!$cfg->{groups}->{$group}) { # group does not exist
warn "user config - ignore invalid acl group '$group'\n";
}
+ $cfg->{acl}->{$path}->{groups}->{$group}->{$role} = $propagate;
} elsif (PVE::Auth::Plugin::verify_username($ug, 1)) {
- if ($cfg->{users}->{$ug}) { # user exists
- $cfg->{acl}->{$path}->{users}->{$ug}->{$role} = $propagate;
- } else {
+ if (!$cfg->{users}->{$ug}) { # user does not exist
warn "user config - ignore invalid acl member '$ug'\n";
}
+ $cfg->{acl}->{$path}->{users}->{$ug}->{$role} = $propagate;
} elsif (my ($user, $token) = split_tokenid($ug, 1)) {
if (check_token_exist($cfg, $user, $token, 1)) {
$cfg->{acl}->{$path}->{tokens}->{$ug}->{$role} = $propagate;
my ($cfg, $user, $path) = @_;
# NOTE: we do not consider pools here.
+ # NOTE: for privsep tokens, this does not filter roles by those that the
+ # corresponding user has.
# Use $rpcenv->permission() for any actual permission checks!
return 'Administrator' if $user eq 'root@pam'; # root can do anything
- my $perm = {};
+ if (pve_verify_tokenid($user, 1)) {
+ my $tokenid = $user;
+ my ($username, $token) = split_tokenid($tokenid);
+
+ my $token_info = $cfg->{users}->{$username}->{tokens}->{$token};
+ return () if !$token_info;
+
+ my $user_roles = roles($cfg, $username, $path);
+
+ # return full user privileges
+ return $user_roles if !$token_info->{privsep};
+ }
+
+ my $roles = {};
foreach my $p (sort keys %{$cfg->{acl}}) {
my $final = ($path eq $p);
#print "CHECKACL $path $p\n";
#print "ACL $path = " . Dumper ($acl);
+ if (my $ri = $acl->{tokens}->{$user}) {
+ my $new;
+ foreach my $role (keys %$ri) {
+ my $propagate = $ri->{$role};
+ if ($final || $propagate) {
+ #print "APPLY ROLE $p $user $role\n";
+ $new = {} if !$new;
+ $new->{$role} = $propagate;
+ }
+ }
+ if ($new) {
+ $roles = $new; # overwrite previous settings
+ next;
+ }
+ }
if (my $ri = $acl->{users}->{$user}) {
my $new;
if ($final || $propagate) {
#print "APPLY ROLE $p $user $role\n";
$new = {} if !$new;
- $new->{$role} = 1;
+ $new->{$role} = $propagate;
}
}
if ($new) {
- $perm = $new; # overwrite previous settings
+ $roles = $new; # overwrite previous settings
next; # user privs always override group privs
}
}
if ($final || $propagate) {
#print "APPLY ROLE $p \@$g $role\n";
$new = {} if !$new;
- $new->{$role} = 1;
+ $new->{$role} = $propagate;
}
}
}
}
if ($new) {
- $perm = $new; # overwrite previous settings
+ $roles = $new; # overwrite previous settings
next;
}
}
- return ('NoAccess') if defined ($perm->{NoAccess});
- #return () if defined ($perm->{NoAccess});
-
- #print "permission $user $path = " . Dumper ($perm);
+ return { 'NoAccess' => $roles->{NoAccess} } if defined ($roles->{NoAccess});
+ #return () if defined ($roles->{NoAccess});
- my @ra = keys %$perm;
+ #print "permission $user $path = " . Dumper ($roles);
#print "roles $user $path = " . join (',', @ra) . "\n";
- return @ra;
+ return $roles;
}
sub remove_vm_access {