[pve-devel] [PATCH access-control 1/3] fix #1501: pveum: die when deleting special role

[Philip Abernethy]

Die with a helpful error message instead of silently ignoring the user
when trying to delete a special role.
---
 PVE/API2/Role.pm     | 3 +++
 PVE/AccessControl.pm | 1 +
 2 files changed, 4 insertions(+)

diff --git a/PVE/API2/Role.pm b/PVE/API2/Role.pm
index 6392e13..d8d8e17 100644
--- a/PVE/API2/Role.pm
+++ b/PVE/API2/Role.pm
@@ -192,6 +192,9 @@ __PACKAGE__->register_method ({
 
 		my $usercfg = cfs_read_file("user.cfg");
 
+		die "role '$role' can not be deleted\n"
+		    if ($usercfg->{roles}->{$role}->{special});
+
 		die "role '$role' does not exist\n"
 		    if !$usercfg->{roles}->{$role};
 	
diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index 7d02cdf..b6be95d 100644
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -595,6 +595,7 @@ sub userconfig_force_defaults {
 
     foreach my $r (keys %$special_roles) {
 	$cfg->{roles}->{$r} = $special_roles->{$r};
+	$cfg->{roles}->{$r}->{special} = 1;
     }
 
     # add root user if not exists
-- 
2.11.0