fix(xo-server/self): remove ACLs when user is removed from resource set (#4874)

2020-03-25 14:26:43 +01:00
parent c2418559f1
commit 2ad07c018e
1 changed files with 24 additions and 0 deletions
--- a/packages/xo-server/src/xo-mixins/resource-sets.js
+++ b/packages/xo-server/src/xo-mixins/resource-sets.js
@@ -2,6 +2,7 @@ import asyncMap from '@xen-orchestra/async-map'
 import deferrable from 'golike-defer'
 import synchronized from 'decorator-synchronized'
 import {
+  difference,
  every,
  forEach,
  isObject,
@@ -159,7 +160,9 @@ export default class {
    throw noSuchObject(id, 'resourceSet')
  }

+  @deferrable
  async updateResourceSet(
+    $defer,
    id,
    {
      name = undefined,
@@ -174,6 +177,27 @@ export default class {
      set.name = name
    }
    if (subjects) {
+      await Promise.all(
+        difference(set.subjects, subjects).map(async subjectId =>
+          Promise.all(
+            (await this._xo.getAclsForSubject(subjectId)).map(async acl => {
+              try {
+                const object = this._xo.getObject(acl.object)
+                if (object.type === 'VM' && object.resourceSet === id) {
+                  await this._xo.removeAcl(subjectId, acl.object, acl.action)
+                  $defer.onFailure(() =>
+                    this._xo.addAcl(subjectId, acl.object, acl.action)
+                  )
+                }
+              } catch (error) {
+                if (!noSuchObject.is(error)) {
+                  throw error
+                }
+              }
+            })
+          )
+        )
+      )
      set.subjects = subjects
    }
    if (objects) {