access-control: remove check_permissions/permission

they have been handled by PVE::RPCEnvironment for quite some time
already, and the versions there are the complete ones that should be
actually used.

manager switched over their last use not long ago, in 6.0-9, so
record a Breaks to that version.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index 1ba1596668e383ef6dac9ac4a38d63225978b1cb..ad97a426c6df7aa4627383d5e2a12b6d42ac7583 100644 (file)
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -1275,43 +1275,6 @@ sub roles {
     return @ra;
 }
 
-sub permission {
-    my ($cfg, $user, $path) = @_;
-
-    $user = PVE::Auth::Plugin::verify_username($user, 1);
-    return {} if !$user;
-
-    my @ra = roles($cfg, $user, $path);
-
-    my $privs = {};
-
-    foreach my $role (@ra) {
-       if (my $privset = $cfg->{roles}->{$role}) {
-           foreach my $p (keys %$privset) {
-               $privs->{$p} = 1;
-           }
-       }
-    }
-
-    #print "priviledges $user $path = " . Dumper ($privs);
-
-    return $privs;
-}
-
-sub check_permissions {
-    my ($username, $path, $privlist) = @_;
-
-    $path = normalize_path($path);
-    my $usercfg = cfs_read_file('user.cfg');
-    my $perm = permission($usercfg, $username, $path);
-
-    foreach my $priv (split_list($privlist)) {
-       return undef if !$perm->{$priv};
-    };
-
-    return 1;
-}
-
 sub remove_vm_access {
     my ($vmid) = @_;
     my $delVMaccessFn = sub {

diff --git a/debian/control b/debian/control
index e9f70d62b737942ba897fcba495a6147203a8660..4247b1f232913277d2078992f996bd8b51b5aff0 100644 (file)
--- a/debian/control
+++ b/debian/control
@@ -31,6 +31,7 @@ Depends: libauthen-pam-perl,
          pve-cluster (>= 5.0-35),
          ${misc:Depends},
          ${perl:Depends},
+Breaks: pve-manager (<= 6.0-9),
 Description: Proxmox VE access control library
  This package contains the role based user management and access
  control function used by Proxmox VE.

diff --git a/test/dump-perm.pl b/test/dump-perm.pl
index 96bc023cd5e941fbf5c0878375ae2f1319c07b9a..cb2a2eebde5c89921fe4c4be10a671d1e1b04342 100755 (executable)
--- a/test/dump-perm.pl
+++ b/test/dump-perm.pl
@@ -1,7 +1,7 @@
 #!/usr/bin/perl -w
 
 use strict;
-use PVE::AccessControl;
+use PVE::RPCEnvironment;
 use Getopt::Long;
 use Data::Dumper;
 
@@ -23,18 +23,14 @@ if (!($username && $path)) {
 
 my $cfg;
 
+my $rpcenv = PVE::RPCEnvironment->init('cli');
 if ($opt_file) {
-
-    my $fh = IO::File->new ($opt_file, 'r') ||
-       die "can't open file $opt_file - $!\n";
-
-    $cfg = PVE::AccessControl::parse_config ($opt_file, $fh);
-    $fh->close();
-
+    $rpcenv->init_request(userconfig => $opt_file);
 } else {
-    $cfg = PVE::AccessControl::load_user_config();
+    $rpcenv->init_request();
 }
-my $perm = PVE::AccessControl::permission($cfg, $username, $path);
+
+my $perm = $rpcenv->permissions($username, $path);
 
 print "permission for user '$username' on '$path':\n";
 print join(',', keys %$perm) . "\n";

diff --git a/test/perm-test1.pl b/test/perm-test1.pl
index fe654b881d7f1567aa8349528788b935b5e1f0ce..3efc79f7e0d9dc3d6f6fe079c1f20c15751ada52 100755 (executable)
--- a/test/perm-test1.pl
+++ b/test/perm-test1.pl
@@ -26,7 +26,7 @@ sub check_roles {
 sub check_permission {
     my ($user, $path, $expected_result) = @_;
 
-    my $perm = PVE::AccessControl::permission($rpcenv->{user_cfg}, $user, $path);
+    my $perm = $rpcenv->permissions($user, $path);
     my $res = join(',', sort keys %$perm);
 
     die "unexpected result\nneed '${expected_result}'\ngot '$res'\n"