[pve-devel] [PATCH access-control] api: role: remove role references from acl rules on role deletion
Daniel Kral
d.kral at proxmox.com
Wed Feb 5 10:21:14 CET 2025
On 2/3/25 12:49, Fiona Ebner wrote:
> Am 04.12.24 um 16:11 schrieb Daniel Kral:
>> Let the API endpoint `DELETE /access/roles/{roleid}` or command
>> `pveum role delete <roleid>` remove any ACL rules in the user
>> configuration, which reference the removed role.
>>
>> Before this change, the removal of a role has caused the role to remain
>> in existing ACL rules, which referenced the removed role. Therefore, on
>> each parse of the user configuration, a warning was be displayed:
>>
>> user config - ignore invalid acl role '<role>'
>>
>
> Might be good to note that the next modification of the configuration
> would drop the unknown role (even if a role with the same name is
> re-added right away).
Thanks, will mention that in the v2!
Just for clarification, what could be an/the use case of deleting and
re-adding the role? It could be certainly beneficial to add a small
reminder in the WebUI, that removing a user/group/role will also delete
its dependents.
On 2/3/25 12:49, Fiona Ebner wrote:
> What would be really nice is to have some tests for various
> add/modify/delete sequences touching user.cfg :) I don't think current
> tests cover that yet.
I'll gladly provide these with a v2 to document the changes and also
just enforce this behavior in the future :).
More information about the pve-devel
mailing list