[pve-devel] [PATCH pve-access-control 2/2] rpcenvironnment: add check_sdn_bridge

Fabian Grünbichler f.gruenbichler at proxmox.com
Tue Jun 6 14:37:05 CEST 2023

On June 6, 2023 2:15 pm, DERUMIER, Alexandre wrote:
>> > +       # check propagate on bridge itself
>> > +       return 1 if $self->check_any($username, $path, $privs,
>> > $noerr);
>> this doesn't actually check propagation though? for that you could
>> either:
>> - use $self->permissions (it returns the propagate bit)
>> - query a non-existing vlan child path with check_any
> do we really need to check propagation ?
> Here, we want to check if user have permission to the bridge,
> if user have an acl on a vlan of the bridge
> or 
> if user have access to the bridge (propagate or not).
> for example, if I check with a dummy vlanid ,/sdn/zones/myzone/vnet1/0,
> It'll be ok if user have propagate on vnet1,  but not if user
> don't have propagate

you are right, we don't need to check for propagation here. so basically
we have two parts - maybe those could be added as a comment, and another
higher-level one for the whole helper to make it clear what it actually

# checks whether user has $privs on the bridge/vnet in any fashion
sub check_sdn_bridge {
# check explicit VLAN tag ACLs
# check bridge/vnet itself

and then we could also turn the order around, and check the bridge
first as a fast path that does less work?

More information about the pve-devel mailing list