fix NoAccess when inheritred from pool
authorDietmar Maurer <dietmar@proxmox.com>
Thu, 26 Jan 2012 05:13:59 +0000 (06:13 +0100)
committerDietmar Maurer <dietmar@proxmox.com>
Thu, 26 Jan 2012 05:13:59 +0000 (06:13 +0100)
PVE/RPCEnvironment.pm
test/Makefile
test/perm-test7.pl [new file with mode: 0755]
test/test7.cfg [new file with mode: 0644]

index a2b8bc2..0df71dc 100644 (file)
@@ -129,8 +129,12 @@ my $compile_acl_path = sub {
     # Note: assume we do not want to propagate those privs
     if ($data->{poolroles}->{$path}) {
        if (!($ra[0] && $ra[0] eq 'NoAccess')) {
     # Note: assume we do not want to propagate those privs
     if ($data->{poolroles}->{$path}) {
        if (!($ra[0] && $ra[0] eq 'NoAccess')) {
-           foreach my $role (keys %{$data->{poolroles}->{$path}}) {
-               push @ra, $role;
+           if ($data->{poolroles}->{$path}->{NoAccess}) {
+               @ra = ('NoAccess');
+           } else {
+               foreach my $role (keys %{$data->{poolroles}->{$path}}) {
+                   push @ra, $role;
+               }
            }
        }
     }
            }
        }
     }
index 567a2e4..5c9c94e 100644 (file)
@@ -9,4 +9,5 @@ check:
        perl -I.. perm-test4.pl
        perl -I.. perm-test5.pl
        perl -I.. perm-test6.pl
        perl -I.. perm-test4.pl
        perl -I.. perm-test5.pl
        perl -I.. perm-test6.pl
+       perl -I.. perm-test7.pl
 
 
diff --git a/test/perm-test7.pl b/test/perm-test7.pl
new file mode 100755 (executable)
index 0000000..e2b71a3
--- /dev/null
@@ -0,0 +1,33 @@
+#!/usr/bin/perl -w
+
+use strict;
+use PVE::Tools;
+use PVE::AccessControl;
+use PVE::RPCEnvironment;
+use Getopt::Long;
+
+my $rpcenv = PVE::RPCEnvironment->init('cli');
+
+my $cfgfn = "test7.cfg";
+$rpcenv->init_request(userconfig => $cfgfn);
+
+sub check_roles {
+    my ($user, $path, $expected_result) = @_;
+
+    my @ra = $rpcenv->roles($user, $path);
+    my $res = join(',', sort @ra);
+
+    die "unexpected result\nneed '${expected_result}'\ngot '$res'\n"
+       if $res ne $expected_result;
+
+    print "ROLES:$path:$user:$res\n";
+}
+
+
+check_roles('User1@pve', '/vms', 'Role1');
+check_roles('User1@pve', '/vms/200', 'Role1');
+check_roles('User1@pve', '/vms/100', 'NoAccess');
+
+print "all tests passed\n";
+
+exit (0);
diff --git a/test/test7.cfg b/test/test7.cfg
new file mode 100644 (file)
index 0000000..a17d668
--- /dev/null
@@ -0,0 +1,15 @@
+user:User1@pve:1:
+user:User2@pve:1:
+
+group:GroupA:User1@pve,User2@pve:
+group:GroupB:User1@pve,User2@pve:
+
+role:Role1:VM.PowerMgmt:
+role:Role2:VM.Console:
+role:Role3:VM.Console:
+
+acl:1:/pool/devel:User1@pve:NoAccess:
+
+acl:1:/vms:User1@pve:Role1:
+
+pool:devel:Development:100:store1: