From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH access-control 2/3] permissions: fix token/user priv intersection
Date: Fri, 3 Jun 2022 13:50:48 +0200 [thread overview]
Message-ID: <20220603115049.1908792-3-f.gruenbichler@proxmox.com> (raw)
In-Reply-To: <20220603115049.1908792-1-f.gruenbichler@proxmox.com>
the token/user priv intersection could only honored user privs that had
the propagation flag set, reducing the scope of the token more than
intended.
the pre-existing test case actually triggered the broken behaviour, but
the expected value matched it so it was not noticed.
Fixes: e8a0cee47bb477162f291e67144ea0c0df47f2ee "rpcenv: improve user/token intersection"
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
src/PVE/RPCEnvironment.pm | 2 +-
src/test/perm-test8.pl | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/PVE/RPCEnvironment.pm b/src/PVE/RPCEnvironment.pm
index b5da4f2..a0c7555 100644
--- a/src/PVE/RPCEnvironment.pm
+++ b/src/PVE/RPCEnvironment.pm
@@ -82,7 +82,7 @@ my $compile_acl_path = sub {
if ($username && $username ne 'root@pam') {
# intersect user and token permissions
my $user_privs = $cache->{$username}->{privs}->{$path};
- my $filtered_privs = [ grep { $user_privs->{$_} } keys %$privs ];
+ my $filtered_privs = [ grep { defined($user_privs->{$_}) } keys %$privs ];
$privs = { map { $_ => $user_privs->{$_} && $privs->{$_} } @$filtered_privs };
}
diff --git a/src/test/perm-test8.pl b/src/test/perm-test8.pl
index 83ca1f2..5dab6c6 100644
--- a/src/test/perm-test8.pl
+++ b/src/test/perm-test8.pl
@@ -63,7 +63,7 @@ check_roles('max@pve!token', '/vms/200', 'storage_manager');
check_roles('max@pve!token2', '/vms/200', 'customer');
# check intersection -> token has Administrator, but user only vm_admin
-check_permission('max@pve!token2', '/vms/300', 'Permissions.Modify,VM.Allocate,VM.Audit,VM.Console');
+check_permission('max@pve!token2', '/vms/300', 'Permissions.Modify,VM.Allocate,VM.Audit,VM.Console,VM.PowerMgmt');
print "all tests passed\n";
--
2.30.2
next prev parent reply other threads:[~2022-06-03 11:51 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-03 11:50 [pve-devel] [PATCH access-control 0/3] fix two propagation related bugs Fabian Grünbichler
2022-06-03 11:50 ` [pve-devel] [PATCH access-control 1/3] permissions: properly merge propagation flag Fabian Grünbichler
2022-06-03 11:50 ` Fabian Grünbichler [this message]
2022-06-03 11:50 ` [pve-devel] [PATCH access-control 3/3] permissions: add some more comments Fabian Grünbichler
2022-06-03 12:03 ` [pve-devel] applied series: [PATCH access-control 0/3] fix two propagation related bugs Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220603115049.1908792-3-f.gruenbichler@proxmox.com \
--to=f.gruenbichler@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.