[PR #85] [MERGED] fix: guests: get rid of ghost guest accesses in corner cases #224

New issue

Closed

opened 2026-05-07 00:19:53 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented

2026-05-07 00:19:53 +02:00

Owner

📋 Pull Request Information

Original PR: https://github.com/ovh/the-bastion/pull/85
Author: @speed47
Created: 12/10/2020
Status: ✅ Merged
Merged: 12/10/2020
Merged by: @speed47

Base: master ← Head: guestfix

📝 Commits (1)

39ddc4c fix: guests: get rid of ghost guest accesses in corner cases

📊 Changes

2 files changed (+70 additions, -1 deletions)

View changed files

📝 lib/perl/OVH/Bastion/Plugin/groupSetRole.pm (+43 -1)
📝 tests/functional/tests.d/350-groups.sh (+27 -0)

📄 Description

Adding a guest access to a member of a group is now denied, to avoid having
dangling guest accesses when their membership is revoked. In effect, they
could no longer access the group servers, even as guest, because they no longer
had access to the group key, but their previous guest accesses were still
visible in groupListGuestAccesses, causing possible confusion.

We now also revoke all guest accesses of an account to a group, if any,
when it's being set as a member of this group, so that when/if the account
membership is revoked, we don't end up with the same ghost guest accesses as above.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/ovh/the-bastion/pull/85 **Author:** [@speed47](https://github.com/speed47) **Created:** 12/10/2020 **Status:** ✅ Merged **Merged:** 12/10/2020 **Merged by:** [@speed47](https://github.com/speed47) **Base:** `master` ← **Head:** `guestfix` --- ### 📝 Commits (1) - [`39ddc4c`](https://github.com/ovh/the-bastion/commit/39ddc4c4625fd484738f4e02ee8ac963b0c7b1b2) fix: guests: get rid of ghost guest accesses in corner cases ### 📊 Changes **2 files changed** (+70 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `lib/perl/OVH/Bastion/Plugin/groupSetRole.pm` (+43 -1) 📝 `tests/functional/tests.d/350-groups.sh` (+27 -0) </details> ### 📄 Description Adding a guest access to a member of a group is now denied, to avoid having dangling guest accesses when their membership is revoked. In effect, they could no longer access the group servers, even as guest, because they no longer had access to the group key, but their previous guest accesses were still visible in groupListGuestAccesses, causing possible confusion. We now also revoke all guest accesses of an account to a group, if any, when it's being set as a member of this group, so that when/if the account membership is revoked, we don't end up with the same ghost guest accesses as above. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>