fix NoAccess when inheritred from pool

PVE/RPCEnvironment.pm

@@ -129,8 +129,12 @@ my $compile_acl_path = sub {
     # Note: assume we do not want to propagate those privs
     if ($data->{poolroles}->{$path}) {
 	if (!($ra[0] && $ra[0] eq 'NoAccess')) {
-	    foreach my $role (keys %{$data->{poolroles}->{$path}}) {
-		push @ra, $role;
+	    if ($data->{poolroles}->{$path}->{NoAccess}) {
+		@ra = ('NoAccess');
+	    } else {
+		foreach my $role (keys %{$data->{poolroles}->{$path}}) {
+		    push @ra, $role;
+		}
 	    }
 	}
     }

test/Makefile

@@ -9,4 +9,5 @@ check:
 	perl -I.. perm-test4.pl
 	perl -I.. perm-test5.pl
 	perl -I.. perm-test6.pl
+	perl -I.. perm-test7.pl
 

test/perm-test7.pl

@@ -0,0 +1,33 @@
+#!/usr/bin/perl -w
+
+use strict;
+use PVE::Tools;
+use PVE::AccessControl;
+use PVE::RPCEnvironment;
+use Getopt::Long;
+
+my $rpcenv = PVE::RPCEnvironment->init('cli');
+
+my $cfgfn = "test7.cfg";
+$rpcenv->init_request(userconfig => $cfgfn);
+
+sub check_roles {
+    my ($user, $path, $expected_result) = @_;
+
+    my @ra = $rpcenv->roles($user, $path);
+    my $res = join(',', sort @ra);
+
+    die "unexpected result\nneed '${expected_result}'\ngot '$res'\n"
+	if $res ne $expected_result;
+
+    print "ROLES:$path:$user:$res\n";
+}
+
+
+check_roles('User1@pve', '/vms', 'Role1');
+check_roles('User1@pve', '/vms/200', 'Role1');
+check_roles('User1@pve', '/vms/100', 'NoAccess');
+
+print "all tests passed\n";
+
+exit (0);

test/test7.cfg

@@ -0,0 +1,15 @@
+user:User1@pve:1:
+user:User2@pve:1:
+
+group:GroupA:User1@pve,User2@pve:
+group:GroupB:User1@pve,User2@pve:
+
+role:Role1:VM.PowerMgmt:
+role:Role2:VM.Console:
+role:Role3:VM.Console:
+
+acl:1:/pool/devel:User1@pve:NoAccess:
+
+acl:1:/vms:User1@pve:Role1:
+
+pool:devel:Development:100:store1: