permissions: properly merge propagation flag

when multiple roles are defined on a path that share a privilege, this
randomly took the propagation flag for the priv from the last role
encountered. since perl hashes are iterated randomly, this means the
propagation flag was sometimes set correctly, and sometimes not.

note that this propagation flag is only used for display/dumping
purposes, and for intersection with token privs (see next commit).
actual handling of propagation happens on the role level in
PVE::AccessControl::roles().

modified test case (spuriously) fails without the fix.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

diff --git a/src/PVE/RPCEnvironment.pm b/src/PVE/RPCEnvironment.pm
index ed5625e8b65608c2163427ae1f0f4808df0714f8..b5da4f29ac5ca8a85757662ef65aaad961a96da8 100644 (file)
--- a/src/PVE/RPCEnvironment.pm
+++ b/src/PVE/RPCEnvironment.pm
@@ -74,7 +74,7 @@ my $compile_acl_path = sub {
     foreach my $role (keys %$roles) {
        if (my $privset = $cfg->{roles}->{$role}) {
            foreach my $p (keys %$privset) {
-               $privs->{$p} = $roles->{$role};
+               $privs->{$p} ||= $roles->{$role};
            }
        }
     }

diff --git a/src/test/test8.cfg b/src/test/test8.cfg
index 2f85bfd828772b01a1a3a293d4b75bb5ddd0faca..d5c7e86b0f15a6b978cbb6cacd1af5cd5ac3c416 100644 (file)
--- a/src/test/test8.cfg
+++ b/src/test/test8.cfg
@@ -16,6 +16,8 @@ role:customer:VM.Audit,VM.PowerMgmt:
 role:vm_admin:VM.Audit,VM.Allocate,Permissions.Modify,VM.Console:
 
 acl:1:/vms:@testgroup1:vm_admin:
+acl:0:/vms/300:max@pve:customer:
+acl:1:/vms/300:max@pve:vm_admin:
 acl:1:/vms/100/:alex@pve,max@pve:customer:
 acl:1:/storage/nfs1:@testgroup2:storage_manager:
 acl:1:/users:max@pve:Administrator: