[pve-devel] [PATCH access-control 1/3] permissions: properly merge propagation flag

Fabian Grünbichler f.gruenbichler at proxmox.com
Fri Jun 3 13:50:47 CEST 2022

when multiple roles are defined on a path that share a privilege, this
randomly took the propagation flag for the priv from the last role
encountered. since perl hashes are iterated randomly, this means the
propagation flag was sometimes set correctly, and sometimes not.

note that this propagation flag is only used for display/dumping
purposes, and for intersection with token privs (see next commit).
actual handling of propagation happens on the role level in

modified test case (spuriously) fails without the fix.

Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
 src/PVE/RPCEnvironment.pm | 2 +-
 src/test/test8.cfg        | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/PVE/RPCEnvironment.pm b/src/PVE/RPCEnvironment.pm
index ed5625e..b5da4f2 100644
--- a/src/PVE/RPCEnvironment.pm
+++ b/src/PVE/RPCEnvironment.pm
@@ -74,7 +74,7 @@ my $compile_acl_path = sub {
     foreach my $role (keys %$roles) {
 	if (my $privset = $cfg->{roles}->{$role}) {
 	    foreach my $p (keys %$privset) {
-		$privs->{$p} = $roles->{$role};
+		$privs->{$p} ||= $roles->{$role};
diff --git a/src/test/test8.cfg b/src/test/test8.cfg
index 2f85bfd..d5c7e86 100644
--- a/src/test/test8.cfg
+++ b/src/test/test8.cfg
@@ -16,6 +16,8 @@ role:customer:VM.Audit,VM.PowerMgmt:
+acl:0:/vms/300:max at pve:customer:
+acl:1:/vms/300:max at pve:vm_admin:
 acl:1:/vms/100/:alex at pve,max at pve:customer:
 acl:1:/users:max at pve:Administrator:

More information about the pve-devel mailing list