[pve-devel] [PATCH pve-access-control 2/2] rpcenvironnment: add check_sdn_bridge
Fabian Grünbichler
f.gruenbichler at proxmox.com
Mon Jun 5 12:12:12 CEST 2023
On June 5, 2023 1:37 am, Alexandre Derumier wrote:
> check if user have access to 1 vlan of the bridge
> or the bridge itself
>
> Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
> ---
> src/PVE/RPCEnvironment.pm | 17 +++++++++++++++++
> 1 file changed, 17 insertions(+)
>
> diff --git a/src/PVE/RPCEnvironment.pm b/src/PVE/RPCEnvironment.pm
> index 8586938..fb010cc 100644
> --- a/src/PVE/RPCEnvironment.pm
> +++ b/src/PVE/RPCEnvironment.pm
> @@ -324,6 +324,23 @@ sub check_full {
> }
> }
>
> +sub check_sdn_bridge {
> + my ($self, $username, $path, $privs, $noerr) = @_;
instead of $path, passing in just the bridge ID would also work, and
maybe be a nicer interface..
> +
> + my $cfg = $self->{user_cfg};
> + my $bridge_acl = PVE::AccessControl::find_acl_tree_node($cfg->{acl_root}, $path);
> + if ($bridge_acl) {
> + my $vlans = $bridge_acl->{children};
> + for my $vlan (keys %$vlans) {
> + my $vlanpath = "$path/$vlan";
> + return 1 if $self->check_any($username, $vlanpath, $privs, $noerr);
> + }
> + # check propagate on bridge itself
> + return 1 if $self->check_any($username, $path, $privs, $noerr);
this doesn't actually check propagation though? for that you could
either:
- use $self->permissions (it returns the propagate bit)
- query a non-existing vlan child path with check_any
> + }
> + return;
> +}
> +
> sub check_user_enabled {
> my ($self, $user, $noerr) = @_;
>
> --
> 2.30.2
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>
>
More information about the pve-devel
mailing list