[pve-devel] [PATCH pve-access-control 2/2] rpcenvironnment: add check_sdn_bridge

Fabian Grünbichler f.gruenbichler at proxmox.com
Mon Jun 5 12:12:12 CEST 2023


On June 5, 2023 1:37 am, Alexandre Derumier wrote:
> check if user have access to 1 vlan of the bridge
> or the bridge itself
> 
> Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
> ---
>  src/PVE/RPCEnvironment.pm | 17 +++++++++++++++++
>  1 file changed, 17 insertions(+)
> 
> diff --git a/src/PVE/RPCEnvironment.pm b/src/PVE/RPCEnvironment.pm
> index 8586938..fb010cc 100644
> --- a/src/PVE/RPCEnvironment.pm
> +++ b/src/PVE/RPCEnvironment.pm
> @@ -324,6 +324,23 @@ sub check_full {
>      }
>  }
>  
> +sub check_sdn_bridge {
> +    my ($self, $username, $path, $privs, $noerr) = @_;

instead of $path, passing in just the bridge ID would also work, and
maybe be a nicer interface..

> +
> +    my $cfg = $self->{user_cfg};
> +    my $bridge_acl = PVE::AccessControl::find_acl_tree_node($cfg->{acl_root}, $path);
> +    if ($bridge_acl) {
> +	my $vlans = $bridge_acl->{children};
> +	for my $vlan (keys %$vlans) {
> +	    my $vlanpath = "$path/$vlan";
> +	    return 1 if $self->check_any($username, $vlanpath, $privs, $noerr);
> +	}
> +	# check propagate on bridge itself
> +	return 1 if $self->check_any($username, $path, $privs, $noerr);

this doesn't actually check propagation though? for that you could
either:
- use $self->permissions (it returns the propagate bit)
- query a non-existing vlan child path with check_any

> +    }
> +    return;
> +}
> +
>  sub check_user_enabled {
>      my ($self, $user, $noerr) = @_;
>  
> -- 
> 2.30.2
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
> 





More information about the pve-devel mailing list