From 2ad07c018e7a3365f0c0f86cf822248902644c06 Mon Sep 17 00:00:00 2001
From: Pierre Donias <pierre.donias@gmail.com>
Date: Wed, 25 Mar 2020 14:26:43 +0100
Subject: [PATCH] fix(xo-server/self): remove ACLs when user is removed from
 resource set (#4874)

---
 .../xo-server/src/xo-mixins/resource-sets.js  | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/packages/xo-server/src/xo-mixins/resource-sets.js b/packages/xo-server/src/xo-mixins/resource-sets.js
index 60beae7fc..1ba5f97e6 100644
--- a/packages/xo-server/src/xo-mixins/resource-sets.js
+++ b/packages/xo-server/src/xo-mixins/resource-sets.js
@@ -2,6 +2,7 @@ import asyncMap from '@xen-orchestra/async-map'
 import deferrable from 'golike-defer'
 import synchronized from 'decorator-synchronized'
 import {
+  difference,
   every,
   forEach,
   isObject,
@@ -159,7 +160,9 @@ export default class {
     throw noSuchObject(id, 'resourceSet')
   }
 
+  @deferrable
   async updateResourceSet(
+    $defer,
     id,
     {
       name = undefined,
@@ -174,6 +177,27 @@ export default class {
       set.name = name
     }
     if (subjects) {
+      await Promise.all(
+        difference(set.subjects, subjects).map(async subjectId =>
+          Promise.all(
+            (await this._xo.getAclsForSubject(subjectId)).map(async acl => {
+              try {
+                const object = this._xo.getObject(acl.object)
+                if (object.type === 'VM' && object.resourceSet === id) {
+                  await this._xo.removeAcl(subjectId, acl.object, acl.action)
+                  $defer.onFailure(() =>
+                    this._xo.addAcl(subjectId, acl.object, acl.action)
+                  )
+                }
+              } catch (error) {
+                if (!noSuchObject.is(error)) {
+                  throw error
+                }
+              }
+            })
+          )
+        )
+      )
       set.subjects = subjects
     }
     if (objects) {