On June 6, 2023 2:15 pm, DERUMIER, Alexandre wrote: >> > + # check propagate on bridge itself >> > + return 1 if $self->check_any($username, $path, $privs, >> > $noerr); >> >> this doesn't actually check propagation though? for that you could >> either: >> - use $self->permissions (it returns the propagate bit) >> - query a non-existing vlan child path with check_any >> >> > > do we really need to check propagation ? > > Here, we want to check if user have permission to the bridge, > > if user have an acl on a vlan of the bridge > > or > > if user have access to the bridge (propagate or not). > > for example, if I check with a dummy vlanid ,/sdn/zones/myzone/vnet1/0, > > It'll be ok if user have propagate on vnet1, but not if user > don't have propagate
you are right, we don't need to check for propagation here. so basically we have two parts - maybe those could be added as a comment, and another higher-level one for the whole helper to make it clear what it actually checks: # checks whether user has $privs on the bridge/vnet in any fashion sub check_sdn_bridge { .. # check explicit VLAN tag ACLs .. # check bridge/vnet itself .. } and then we could also turn the order around, and check the bridge first as a fast path that does less work? _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel