rpcenv->permissions() ensure propagate is always defined

[pve-access-control.git] / src / PVE / RPCEnvironment.pm

diff --git a/src/PVE/RPCEnvironment.pm b/src/PVE/RPCEnvironment.pm
index 5e0ef0421a2ac36d2008c785a3a14ef6c314273c..b1348fab8f38141606cbce5a61d2d6a4ded3253d 100644 (file)
--- a/src/PVE/RPCEnvironment.pm
+++ b/src/PVE/RPCEnvironment.pm
@@ -86,6 +86,11 @@ my $compile_acl_path = sub {
        $privs = { map { $_ => $user_privs->{$_} && $privs->{$_} } @$filtered_privs };
     }
 
+    foreach my $priv (keys %$privs) {
+       # safeguard, this should never happen anyway
+       delete $privs->{$priv} if !defined($privs->{$priv});
+    }
+
     $data->{privs}->{$path} = $privs;
 
     return $privs;
@@ -155,6 +160,8 @@ sub compute_api_permission {
        my $toplevel = ($path =~ /^\/(\w+)/) ? $1 : 'dc';
        if ($toplevel eq 'pool') {
            foreach my $priv (keys %$path_perm) {
+               next if !defined($path_perm->{$priv});
+
                if ($priv =~ m/^VM\./) {
                    $res->{vms}->{$priv} = 1;
                } elsif ($priv =~ m/^Datastore\./) {
@@ -167,6 +174,8 @@ sub compute_api_permission {
        } else {
            my $priv_regex = $priv_re_map->{$toplevel} // next;
            foreach my $priv (keys %$path_perm) {
+               next if !defined($path_perm->{$priv});
+
                next if $priv !~ m/^($priv_regex)/;
                $res->{$toplevel}->{$priv} = 1;
            }
@@ -212,6 +221,9 @@ sub get_effective_permissions {
     my $perms = {};
     foreach my $path (keys %$paths) {
        my $path_perms = $self->permissions($user, $path);
+       foreach my $priv (keys %$path_perms) {
+           delete $path_perms->{$priv} if !defined($path_perms->{$priv});
+       }
        # filter paths where user has NO permissions
        $perms->{$path} = $path_perms if %$path_perms;
     }