From 0716a56be3fc8be775a4afc818e8cad6727dc91c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= Date: Fri, 3 Jun 2022 13:50:48 +0200 Subject: [PATCH] permissions: fix token/user priv intersection MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit the token/user priv intersection could only honored user privs that had the propagation flag set, reducing the scope of the token more than intended. the pre-existing test case actually triggered the broken behaviour, but the expected value matched it so it was not noticed. Fixes: e8a0cee47bb477162f291e67144ea0c0df47f2ee "rpcenv: improve user/token intersection" Signed-off-by: Fabian Grünbichler --- src/PVE/RPCEnvironment.pm | 2 +- src/test/perm-test8.pl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/PVE/RPCEnvironment.pm b/src/PVE/RPCEnvironment.pm index b5da4f2..a0c7555 100644 --- a/src/PVE/RPCEnvironment.pm +++ b/src/PVE/RPCEnvironment.pm @@ -82,7 +82,7 @@ my $compile_acl_path = sub { if ($username && $username ne 'root@pam') { # intersect user and token permissions my $user_privs = $cache->{$username}->{privs}->{$path}; - my $filtered_privs = [ grep { $user_privs->{$_} } keys %$privs ]; + my $filtered_privs = [ grep { defined($user_privs->{$_}) } keys %$privs ]; $privs = { map { $_ => $user_privs->{$_} && $privs->{$_} } @$filtered_privs }; } diff --git a/src/test/perm-test8.pl b/src/test/perm-test8.pl index 83ca1f2..5dab6c6 100644 --- a/src/test/perm-test8.pl +++ b/src/test/perm-test8.pl @@ -63,7 +63,7 @@ check_roles('max@pve!token', '/vms/200', 'storage_manager'); check_roles('max@pve!token2', '/vms/200', 'customer'); # check intersection -> token has Administrator, but user only vm_admin -check_permission('max@pve!token2', '/vms/300', 'Permissions.Modify,VM.Allocate,VM.Audit,VM.Console'); +check_permission('max@pve!token2', '/vms/300', 'Permissions.Modify,VM.Allocate,VM.Audit,VM.Console,VM.PowerMgmt'); print "all tests passed\n";