[pve-devel] r5614 - in pve-access-control/trunk: . PVE test

Thu Feb 24 14:37:18 CET 2011

Author: dietmar
Date: 2011-02-24 14:37:18 +0100 (Thu, 24 Feb 2011)
New Revision: 5614

Modified:
   pve-access-control/trunk/ChangeLog
   pve-access-control/trunk/PVE/AccessControl.pm
   pve-access-control/trunk/test/perm-test1.pl
Log:
	* PVE/AccessControl.pm (roles): fix group permission propagation



Modified: pve-access-control/trunk/ChangeLog
===================================================================

--- pve-access-control/trunk/ChangeLog	2011-02-24 13:08:46 UTC (rev 5613)
+++ pve-access-control/trunk/ChangeLog	2011-02-24 13:37:18 UTC (rev 5614)
@@ -1,5 +1,7 @@
 2011-02-24  Proxmox Support Team  <support at proxmox.com>
 
+	* PVE/AccessControl.pm (roles): fix group permission propagation
+
 	* PVE/API2/ACL.pm: cleanup API - use '-users' and '-gropus'
 	instead of '-uglist'
 

Modified: pve-access-control/trunk/PVE/AccessControl.pm
===================================================================
--- pve-access-control/trunk/PVE/AccessControl.pm	2011-02-24 13:08:46 UTC (rev 5613)
+++ pve-access-control/trunk/PVE/AccessControl.pm	2011-02-24 13:37:18 UTC (rev 5614)
@@ -1140,21 +1140,21 @@
 	    $perm->{user} = $new; # overwrite previous settings
 	}
 
+	my $new;
 	foreach my $g (keys %{$acl->{groups}}) {
 	    next if !$cfg->{groups}->{$g}->{users}->{$user};
 	    if (my $ri = $acl->{groups}->{$g}) {
-		my $new = {};
 		foreach my $role (keys %$ri) {
 		    my $propagate = $ri->{$role};
 		    if ($final || $propagate) {
 			#print "APPLY ROLE $p \@$g $role\n";
+			$new = {} if !$new;
 			$new->{$role} = 1;
 		    }
 		}
-		$perm->{group}->{$g} = $new; # overwrite previous settings
 	    }
 	}
-	
+	$perm->{group} = $new if $new; # overwrite previous settings
     }
 
     my $res = {};
@@ -1162,16 +1162,9 @@
 	if (!defined ($perm->{user}->{NoAccess})) {
 	    $res = $perm->{user}; 
 	}
-    } else {
-	if ($perm->{group}) {
-	    foreach my $g (keys %{$perm->{group}}) { 
-		my $ri = $perm->{group}->{$g};
-		if (!defined ($ri->{NoAccess})) {
-		    foreach my $r (keys %$ri) {
-			$res->{$r} = 1;
-		    } 
-		}
-	    }
+    } elsif ($perm->{group}) {
+	if (!defined ($perm->{group}->{NoAccess})) {
+	    $res = $perm->{group}; 
 	}
     }
     

Modified: pve-access-control/trunk/test/perm-test1.pl
===================================================================
--- pve-access-control/trunk/test/perm-test1.pl	2011-02-24 13:08:46 UTC (rev 5613)
+++ pve-access-control/trunk/test/perm-test1.pl	2011-02-24 13:37:18 UTC (rev 5614)
@@ -43,6 +43,7 @@
 
 check_roles('max at pve', '/', '');
 check_roles('max at pve', '/vms', 'vm_admin');
+
 #user permissions overrides group permissions
 check_roles('max at pve', '/vms/100', 'customer');
 check_roles('max at pve', '/vms/101', 'vm_admin');
@@ -54,9 +55,10 @@
 check_permission('alex at pve', '/vms', '');
 check_permission('alex at pve', '/vms/100', 'VM.Audit,VM.PowerMgmt');
 
-check_roles('max at pve', '/vms/200', 'storage_manager,vm_admin');
+
+check_roles('max at pve', '/vms/200', 'storage_manager');
 check_roles('joe at pve', '/vms/200', 'vm_admin');
-#check_roles('sue at pve', '/vms/200', '');
+check_roles('sue at pve', '/vms/200', '');
 
 print "all tests passed\n";
 


