From 8ade28e6850c260322ffb36e97dc31f12ef8f1e1 Mon Sep 17 00:00:00 2001
From: Dietmar Maurer <dietmar@proxmox.com>
Date: Thu, 26 Jan 2012 06:13:59 +0100
Subject: [PATCH] fix NoAccess when inheritred from pool

---
 PVE/RPCEnvironment.pm |  8 ++++++--
 test/Makefile         |  1 +
 test/perm-test7.pl    | 33 +++++++++++++++++++++++++++++++++
 test/test7.cfg        | 15 +++++++++++++++
 4 files changed, 55 insertions(+), 2 deletions(-)
 create mode 100755 test/perm-test7.pl
 create mode 100644 test/test7.cfg

diff --git a/PVE/RPCEnvironment.pm b/PVE/RPCEnvironment.pm
index a2b8bc2..0df71dc 100644
--- a/PVE/RPCEnvironment.pm
+++ b/PVE/RPCEnvironment.pm
@@ -129,8 +129,12 @@ my $compile_acl_path = sub {
     # Note: assume we do not want to propagate those privs
     if ($data->{poolroles}->{$path}) {
 	if (!($ra[0] && $ra[0] eq 'NoAccess')) {
-	    foreach my $role (keys %{$data->{poolroles}->{$path}}) {
-		push @ra, $role;
+	    if ($data->{poolroles}->{$path}->{NoAccess}) {
+		@ra = ('NoAccess');
+	    } else {
+		foreach my $role (keys %{$data->{poolroles}->{$path}}) {
+		    push @ra, $role;
+		}
 	    }
 	}
     }
diff --git a/test/Makefile b/test/Makefile
index 567a2e4..5c9c94e 100644
--- a/test/Makefile
+++ b/test/Makefile
@@ -9,4 +9,5 @@ check:
 	perl -I.. perm-test4.pl
 	perl -I.. perm-test5.pl
 	perl -I.. perm-test6.pl
+	perl -I.. perm-test7.pl
 
diff --git a/test/perm-test7.pl b/test/perm-test7.pl
new file mode 100755
index 0000000..e2b71a3
--- /dev/null
+++ b/test/perm-test7.pl
@@ -0,0 +1,33 @@
+#!/usr/bin/perl -w
+
+use strict;
+use PVE::Tools;
+use PVE::AccessControl;
+use PVE::RPCEnvironment;
+use Getopt::Long;
+
+my $rpcenv = PVE::RPCEnvironment->init('cli');
+
+my $cfgfn = "test7.cfg";
+$rpcenv->init_request(userconfig => $cfgfn);
+
+sub check_roles {
+    my ($user, $path, $expected_result) = @_;
+
+    my @ra = $rpcenv->roles($user, $path);
+    my $res = join(',', sort @ra);
+
+    die "unexpected result\nneed '${expected_result}'\ngot '$res'\n"
+	if $res ne $expected_result;
+
+    print "ROLES:$path:$user:$res\n";
+}
+
+
+check_roles('User1@pve', '/vms', 'Role1');
+check_roles('User1@pve', '/vms/200', 'Role1');
+check_roles('User1@pve', '/vms/100', 'NoAccess');
+
+print "all tests passed\n";
+
+exit (0);
diff --git a/test/test7.cfg b/test/test7.cfg
new file mode 100644
index 0000000..a17d668
--- /dev/null
+++ b/test/test7.cfg
@@ -0,0 +1,15 @@
+user:User1@pve:1:
+user:User2@pve:1:
+
+group:GroupA:User1@pve,User2@pve:
+group:GroupB:User1@pve,User2@pve:
+
+role:Role1:VM.PowerMgmt:
+role:Role2:VM.Console:
+role:Role3:VM.Console:
+
+acl:1:/pool/devel:User1@pve:NoAccess:
+
+acl:1:/vms:User1@pve:Role1:
+
+pool:devel:Development:100:store1:
-- 
2.39.2