# Note: assume we do not want to propagate those privs
if ($data->{poolroles}->{$path}) {
if (!($ra[0] && $ra[0] eq 'NoAccess')) {
- foreach my $role (keys %{$data->{poolroles}->{$path}}) {
- push @ra, $role;
+ if ($data->{poolroles}->{$path}->{NoAccess}) {
+ @ra = ('NoAccess');
+ } else {
+ foreach my $role (keys %{$data->{poolroles}->{$path}}) {
+ push @ra, $role;
+ }
}
}
}
--- /dev/null
+#!/usr/bin/perl -w
+
+use strict;
+use PVE::Tools;
+use PVE::AccessControl;
+use PVE::RPCEnvironment;
+use Getopt::Long;
+
+my $rpcenv = PVE::RPCEnvironment->init('cli');
+
+my $cfgfn = "test7.cfg";
+$rpcenv->init_request(userconfig => $cfgfn);
+
+sub check_roles {
+ my ($user, $path, $expected_result) = @_;
+
+ my @ra = $rpcenv->roles($user, $path);
+ my $res = join(',', sort @ra);
+
+ die "unexpected result\nneed '${expected_result}'\ngot '$res'\n"
+ if $res ne $expected_result;
+
+ print "ROLES:$path:$user:$res\n";
+}
+
+
+check_roles('User1@pve', '/vms', 'Role1');
+check_roles('User1@pve', '/vms/200', 'Role1');
+check_roles('User1@pve', '/vms/100', 'NoAccess');
+
+print "all tests passed\n";
+
+exit (0);
--- /dev/null
+user:User1@pve:1:
+user:User2@pve:1:
+
+group:GroupA:User1@pve,User2@pve:
+group:GroupB:User1@pve,User2@pve:
+
+role:Role1:VM.PowerMgmt:
+role:Role2:VM.Console:
+role:Role3:VM.Console:
+
+acl:1:/pool/devel:User1@pve:NoAccess:
+
+acl:1:/vms:User1@pve:Role1:
+
+pool:devel:Development:100:store1: