fix NoAccess when inheritred from pool

[pve-access-control.git] / PVE / RPCEnvironment.pm

diff --git a/PVE/RPCEnvironment.pm b/PVE/RPCEnvironment.pm
index a2b8bc224ef9c80484f08b17402b0e3fd833fe30..0df71dca594099544d2cdc5961c31831927947ff 100644 (file)
--- a/PVE/RPCEnvironment.pm
+++ b/PVE/RPCEnvironment.pm
@@ -129,8 +129,12 @@ my $compile_acl_path = sub {
     # Note: assume we do not want to propagate those privs
     if ($data->{poolroles}->{$path}) {
        if (!($ra[0] && $ra[0] eq 'NoAccess')) {
-           foreach my $role (keys %{$data->{poolroles}->{$path}}) {
-               push @ra, $role;
+           if ($data->{poolroles}->{$path}->{NoAccess}) {
+               @ra = ('NoAccess');
+           } else {
+               foreach my $role (keys %{$data->{poolroles}->{$path}}) {
+                   push @ra, $role;
+               }
            }
        }
     }