Win_dacl module: fix FULLCONTROL / FILE_ALL_ACCESS definition #31906
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Fix FULLCONTROL / FILE_ALL_ACCESS definition (bugfix and code simplification).
Use consistent mechanism for obtaining user SID.
Allow wildcarding (via optional parameters) for a variety of methods (get, rm_ace, check_ace).
What issues does this PR fix or reference?
None.
Previous Behavior
Adding a FULLCONTROL ACE with FOLDER&SUBFOLDERS&FILES propagation to a file system object resulted in Windows Explorer showing "Special" for that file system object. This is because multiple ACEs were created as a result - one that was "folder only" and one that was "subfolders and files".
This had the side effect of causing check_ace (and therefore the win_dacl.present state) to always report that ACE as missing, so each repeated state run would add another pair of ACEs to the DACL.
Secondarily, most functions required exact matching to execute. For example, rm_ace required that the user, access type, permission, and propagation all match exactly. This made it impossible to remove all ACEs for a given user (for example).
New Behavior
When using FULLCONTROL and FOLDER&SUBFOLDERS&FILES propagation, a single ACE is added and is correctly found after it has been added.
Secondarily, if optional parameters are omitted (or set to None) then wildcard matching is allowed for certain functions, making it possible to remove all ACEs for a given user (or all DENY ACEs for that user, etc.)
Tests written?