when multiple roles are defined on a path that share a privilege, this
randomly took the propagation flag for the priv from the last role
encountered. since perl hashes are iterated randomly, this means the
propagation flag was sometimes set correctly, and sometimes not.
note that this propagation flag is only used for display/dumping
purposes, and for intersection with token privs (see next commit).
actual handling of propagation happens on the role level in
PVE::AccessControl::roles().
modified test case (spuriously) fails without the fix.
Signed-off-by: Fabian Grünbichler <f.gruenbich...@proxmox.com>
---
src/PVE/RPCEnvironment.pm | 2 +-
src/test/test8.cfg | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/PVE/RPCEnvironment.pm b/src/PVE/RPCEnvironment.pm
index ed5625e..b5da4f2 100644
--- a/src/PVE/RPCEnvironment.pm
+++ b/src/PVE/RPCEnvironment.pm
@@ -74,7 +74,7 @@ my $compile_acl_path = sub {
foreach my $role (keys %$roles) {
if (my $privset = $cfg->{roles}->{$role}) {
foreach my $p (keys %$privset) {
- $privs->{$p} = $roles->{$role};
+ $privs->{$p} ||= $roles->{$role};
}
}
}
diff --git a/src/test/test8.cfg b/src/test/test8.cfg
index 2f85bfd..d5c7e86 100644
--- a/src/test/test8.cfg
+++ b/src/test/test8.cfg
@@ -16,6 +16,8 @@ role:customer:VM.Audit,VM.PowerMgmt:
role:vm_admin:VM.Audit,VM.Allocate,Permissions.Modify,VM.Console:
acl:1:/vms:@testgroup1:vm_admin:
+acl:0:/vms/300:max@pve:customer:
+acl:1:/vms/300:max@pve:vm_admin:
acl:1:/vms/100/:alex@pve,max@pve:customer:
acl:1:/storage/nfs1:@testgroup2:storage_manager:
acl:1:/users:max@pve:Administrator:
--
2.30.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
