Fix: acl: Do not delay evaluation of added nodes in some situations

beekhof · beekhof · commit 84ac07c7d02b · 2015-04-07T10:14:15.000+10:00
It is not appropriate when the node has no children as it is not a
placeholder
diff --git a/lib/common/xml.c b/lib/common/xml.c
@@ -1020,13 +1020,16 @@ __xml_acl_post_process(xmlNode * xml)
 
     if(is_set(p->flags, xpf_created)) {
         xmlAttr *xIter = NULL;
+        char *path = xml_get_path(xml);
 
-        /* Always allow new scaffolding, ie. node with no attributes or only an 'id' */
+        /* Always allow new scaffolding, ie. node with no attributes or only an 'id'
+         * Except in the ACLs section
+         */
 
         for (xIter = crm_first_attr(xml); xIter != NULL; xIter = xIter->next) {
             const char *prop_name = (const char *)xIter->name;
 
-            if (strcmp(prop_name, XML_ATTR_ID) == 0) {
+            if (strcmp(prop_name, XML_ATTR_ID) == 0 && strstr(path, "/"XML_CIB_TAG_ACLS"/") == NULL) {
                 /* Delay the acl check */
                 continue;
 
@@ -1035,7 +1038,6 @@ __xml_acl_post_process(xmlNode * xml)
                 break;
 
             } else {
-                char *path = xml_get_path(xml);
                 crm_trace("Cannot add new node %s at %s", crm_element_name(xml), path);
 
                 if(xml != xmlDocGetRootElement(xml->doc)) {
@@ -1046,6 +1048,7 @@ __xml_acl_post_process(xmlNode * xml)
                 return;
             }
         }
+        free(path);
     }
 
     while (cIter != NULL) {
