[pve-devel] [PATCH access-control 2/3] permissions: fix token/user priv intersection

Fabian Grünbichler f.gruenbichler at proxmox.com
Fri Jun 3 13:50:48 CEST 2022


the token/user priv intersection could only honored user privs that had
the propagation flag set, reducing the scope of the token more than
intended.

the pre-existing test case actually triggered the broken behaviour, but
the expected value matched it so it was not noticed.

Fixes: e8a0cee47bb477162f291e67144ea0c0df47f2ee "rpcenv: improve user/token intersection"

Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
 src/PVE/RPCEnvironment.pm | 2 +-
 src/test/perm-test8.pl    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/PVE/RPCEnvironment.pm b/src/PVE/RPCEnvironment.pm
index b5da4f2..a0c7555 100644
--- a/src/PVE/RPCEnvironment.pm
+++ b/src/PVE/RPCEnvironment.pm
@@ -82,7 +82,7 @@ my $compile_acl_path = sub {
     if ($username && $username ne 'root at pam') {
 	# intersect user and token permissions
 	my $user_privs = $cache->{$username}->{privs}->{$path};
-	my $filtered_privs = [ grep { $user_privs->{$_} } keys %$privs ];
+	my $filtered_privs = [ grep { defined($user_privs->{$_}) } keys %$privs ];
 	$privs = { map { $_ => $user_privs->{$_} && $privs->{$_} } @$filtered_privs };
     }
 
diff --git a/src/test/perm-test8.pl b/src/test/perm-test8.pl
index 83ca1f2..5dab6c6 100644
--- a/src/test/perm-test8.pl
+++ b/src/test/perm-test8.pl
@@ -63,7 +63,7 @@ check_roles('max at pve!token', '/vms/200', 'storage_manager');
 check_roles('max at pve!token2', '/vms/200', 'customer');
 
 # check intersection -> token has Administrator, but user only vm_admin
-check_permission('max at pve!token2', '/vms/300', 'Permissions.Modify,VM.Allocate,VM.Audit,VM.Console');
+check_permission('max at pve!token2', '/vms/300', 'Permissions.Modify,VM.Allocate,VM.Audit,VM.Console,VM.PowerMgmt');
 
 print "all tests passed\n";
 
-- 
2.30.2





More information about the pve-devel mailing list