proxmox-mirrors/pve-access-control
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-access-control synced 2025-10-04 21:05:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

permissions: fix token/user priv intersection

Browse Source 
the token/user priv intersection could only honored user privs that had
the propagation flag set, reducing the scope of the token more than
intended.

the pre-existing test case actually triggered the broken behaviour, but
the expected value matched it so it was not noticed.

Fixes: e8a0cee47b "rpcenv: improve user/token intersection"

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
Fabian Grünbichler 2022-06-03 13:50:48 +02:00 committed by Thomas Lamprecht
parent b55e33f4e4
commit 0716a56be3
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/PVE/RPCEnvironment.pm
View File

@ -82,7 +82,7 @@ my $compile_acl_path = sub {
if ($username && $username ne 'root@pam') {
# intersect user and token permissions
my $user_privs = $cache->{$username}->{privs}->{$path};
my $filtered_privs = [ grep { $user_privs->{$_} } keys %$privs ];
my $filtered_privs = [ grep { defined($user_privs->{$_}) } keys %$privs ];
$privs = { map { $_ => $user_privs->{$_} && $privs->{$_} } @$filtered_privs };
}

2
src/test/perm-test8.pl
View File

@ -63,7 +63,7 @@ check_roles('max@pve!token', '/vms/200', 'storage_manager');
check_roles('max@pve!token2', '/vms/200', 'customer');
# check intersection -> token has Administrator, but user only vm_admin
check_permission('max@pve!token2', '/vms/300', 'Permissions.Modify,VM.Allocate,VM.Audit,VM.Console');
check_permission('max@pve!token2', '/vms/300', 'Permissions.Modify,VM.Allocate,VM.Audit,VM.Console,VM.PowerMgmt');
print "all tests passed\n";