[pve-devel] applied: [PATCH access-control v3 1/3] fix #1501: pveum: die when deleting special role

Wolfgang Bumiller w.bumiller at proxmox.com
Fri Sep 22 08:57:18 CEST 2017


applied with followup patch (see below)

On Thu, Sep 21, 2017 at 11:09:14AM +0200, Philip Abernethy wrote:
> Die with a helpful error message instead of silently ignoring the user
> when trying to delete a special role.
> Also add a property to the API answer for possible later use by the
> WebUI.
> ---
>  PVE/API2/Role.pm     | 6 +++++-
>  PVE/AccessControl.pm | 5 +++++
>  2 files changed, 10 insertions(+), 1 deletion(-)
> 
> diff --git a/PVE/API2/Role.pm b/PVE/API2/Role.pm
> index 6392e13..0216c8d 100644
> --- a/PVE/API2/Role.pm
> +++ b/PVE/API2/Role.pm
> @@ -44,7 +44,8 @@ __PACKAGE__->register_method ({
>   
>  	foreach my $role (keys %{$usercfg->{roles}}) {
>  	    my $privs = join(',', sort keys %{$usercfg->{roles}->{$role}});
> -	    push @$res, { roleid => $role, privs => $privs };
> +	    push @$res, { roleid => $role, privs => $privs,
> +		special => PVE::AccessControl::role_is_special($role) };
>  	}
>  
>  	return $res;
> @@ -195,6 +196,9 @@ __PACKAGE__->register_method ({
>  		die "role '$role' does not exist\n"
>  		    if !$usercfg->{roles}->{$role};
>  	
> +		die "auto-generated role '$role' can not be deleted\n"
> +		    if PVE::AccessControl::role_is_special($role);

This block here holds a file lock, but the check only needs to know the
role parameter and does not depend on anything else, so I moved it up
to before acquiring the lock.

> +
>  		delete ($usercfg->{roles}->{$role});
>  
>  		# fixme: delete role from acl?
> diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
> index 7d02cdf..98e2fd6 100644
> --- a/PVE/AccessControl.pm
> +++ b/PVE/AccessControl.pm
> @@ -502,6 +502,11 @@ sub create_roles {
>  
>  create_roles();
>  
> +sub role_is_special {
> +    my ($role) = @_;
> +    return exists $special_roles->{$role};
> +}
> +
>  sub add_role_privs {
>      my ($role, $usercfg, $privs) = @_;
>  
> -- 
> 2.11.0




More information about the pve-devel mailing list