mirror of
git://git.proxmox.com/git/pve-access-control.git
synced 2025-01-06 13:17:54 +03:00
api: ACL update: fix handling of Permissions.Modify
With the PVE 8.0 major release, the scope of
non-"Permissions.Modify"-based ACL update privileges were reduced (so
that users with for example, VM.Allocate on a VM could only delegate
their own privileges, but not arbitrary other ones). that additional
logic had a wrong guard and was accidentally triggered for calls where
the user had the "Permissions.Modify" privilege on the modified ACL
path, but without propagation set.
A user with "Permissions.Modify" on a path should be able to set
arbitrary ACLs for that path, even without propagation.
Reported on the forum: https://forum.proxmox.com/threads/151032/
Fixes: 46bfd59
("acls: restrict less-privileged ACL modifications")
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
parent
2c74a9abd5
commit
7d05a239d2
@ -166,7 +166,8 @@ __PACKAGE__->register_method ({
|
|||||||
die "role '$role' does not exist\n"
|
die "role '$role' does not exist\n"
|
||||||
if !$cfg->{roles}->{$role};
|
if !$cfg->{roles}->{$role};
|
||||||
|
|
||||||
if (!$auth_user_privs->{'Permissions.Modify'}) {
|
# permissions() returns set privs as key, and propagate bit as value!
|
||||||
|
if (!defined($auth_user_privs->{'Permissions.Modify'})) {
|
||||||
# 'perm-modify' allows /vms/* with VM.Allocate and similar restricted use cases
|
# 'perm-modify' allows /vms/* with VM.Allocate and similar restricted use cases
|
||||||
# filter those to only allow handing out a subset of currently active privs
|
# filter those to only allow handing out a subset of currently active privs
|
||||||
my $role_privs = $cfg->{roles}->{$role};
|
my $role_privs = $cfg->{roles}->{$role};
|
||||||
|
Loading…
Reference in New Issue
Block a user