[pve-devel] [PATCH v2 access-control 04/23] access-control: remove check_permissions/permission
Fabian Grünbichler
f.gruenbichler at proxmox.com
Thu Nov 21 15:43:22 CET 2019
they have been handled by PVE::RPCEnvironment for quite some time
already, and the versions there are the complete ones that should be
actually used.
Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
Notes:
v1->v2:
* add versioned breaks on pve-manager
PVE/AccessControl.pm | 37 -------------------------------------
debian/control | 1 +
test/dump-perm.pl | 16 ++++++----------
test/perm-test1.pl | 2 +-
4 files changed, 8 insertions(+), 48 deletions(-)
diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index 1ba1596..ad97a42 100644
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -1275,43 +1275,6 @@ sub roles {
return @ra;
}
-sub permission {
- my ($cfg, $user, $path) = @_;
-
- $user = PVE::Auth::Plugin::verify_username($user, 1);
- return {} if !$user;
-
- my @ra = roles($cfg, $user, $path);
-
- my $privs = {};
-
- foreach my $role (@ra) {
- if (my $privset = $cfg->{roles}->{$role}) {
- foreach my $p (keys %$privset) {
- $privs->{$p} = 1;
- }
- }
- }
-
- #print "priviledges $user $path = " . Dumper ($privs);
-
- return $privs;
-}
-
-sub check_permissions {
- my ($username, $path, $privlist) = @_;
-
- $path = normalize_path($path);
- my $usercfg = cfs_read_file('user.cfg');
- my $perm = permission($usercfg, $username, $path);
-
- foreach my $priv (split_list($privlist)) {
- return undef if !$perm->{$priv};
- };
-
- return 1;
-}
-
sub remove_vm_access {
my ($vmid) = @_;
my $delVMaccessFn = sub {
diff --git a/debian/control b/debian/control
index e9f70d6..4247b1f 100644
--- a/debian/control
+++ b/debian/control
@@ -31,6 +31,7 @@ Depends: libauthen-pam-perl,
pve-cluster (>= 5.0-35),
${misc:Depends},
${perl:Depends},
+Breaks: pve-manager (<= 6.0-9),
Description: Proxmox VE access control library
This package contains the role based user management and access
control function used by Proxmox VE.
diff --git a/test/dump-perm.pl b/test/dump-perm.pl
index 96bc023..cb2a2ee 100755
--- a/test/dump-perm.pl
+++ b/test/dump-perm.pl
@@ -1,7 +1,7 @@
#!/usr/bin/perl -w
use strict;
-use PVE::AccessControl;
+use PVE::RPCEnvironment;
use Getopt::Long;
use Data::Dumper;
@@ -23,18 +23,14 @@ if (!($username && $path)) {
my $cfg;
+my $rpcenv = PVE::RPCEnvironment->init('cli');
if ($opt_file) {
-
- my $fh = IO::File->new ($opt_file, 'r') ||
- die "can't open file $opt_file - $!\n";
-
- $cfg = PVE::AccessControl::parse_config ($opt_file, $fh);
- $fh->close();
-
+ $rpcenv->init_request(userconfig => $opt_file);
} else {
- $cfg = PVE::AccessControl::load_user_config();
+ $rpcenv->init_request();
}
-my $perm = PVE::AccessControl::permission($cfg, $username, $path);
+
+my $perm = $rpcenv->permissions($username, $path);
print "permission for user '$username' on '$path':\n";
print join(',', keys %$perm) . "\n";
diff --git a/test/perm-test1.pl b/test/perm-test1.pl
index fe654b8..3efc79f 100755
--- a/test/perm-test1.pl
+++ b/test/perm-test1.pl
@@ -26,7 +26,7 @@ sub check_roles {
sub check_permission {
my ($user, $path, $expected_result) = @_;
- my $perm = PVE::AccessControl::permission($rpcenv->{user_cfg}, $user, $path);
+ my $perm = $rpcenv->permissions($user, $path);
my $res = join(',', sort keys %$perm);
die "unexpected result\nneed '${expected_result}'\ngot '$res'\n"
--
2.20.1
More information about the pve-devel
mailing list