[pve-devel] [PATCH pve-access-control 2/2] rpcenvironnment: add check_sdn_bridge

[Fabian Grünbichler]

On June 6, 2023 2:15 pm, DERUMIER, Alexandre wrote:
>> > +       # check propagate on bridge itself
>> > +       return 1 if $self->check_any($username, $path, $privs,
>> > $noerr);
>> 
>> this doesn't actually check propagation though? for that you could
>> either:
>> - use $self->permissions (it returns the propagate bit)
>> - query a non-existing vlan child path with check_any
>> 
>> 
> 
> do we really need to check propagation ?
> 
> Here, we want to check if user have permission to the bridge,
> 
> if user have an acl on a vlan of the bridge
> 
> or 
> 
> if user have access to the bridge (propagate or not).
> 
> for example, if I check with a dummy vlanid ,/sdn/zones/myzone/vnet1/0,
> 
> It'll be ok if user have propagate on vnet1,  but not if user
> don't have propagate

you are right, we don't need to check for propagation here. so basically
we have two parts - maybe those could be added as a comment, and another
higher-level one for the whole helper to make it clear what it actually
checks:

# checks whether user has $privs on the bridge/vnet in any fashion
sub check_sdn_bridge {
..
# check explicit VLAN tag ACLs
..
# check bridge/vnet itself
..
}

and then we could also turn the order around, and check the bridge
first as a fast path that does less work?