public/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-04-07 21:47:46 +09:00
Code Issues Packages Projects Releases Wiki Activity

policy/v2: fix grant-only policies returning FilterAllowAll

Browse Source 
compileFilterRules checked only pol.ACLs == nil to decide whether
to return FilterAllowAll (permit-any). Policies that use only Grants
(no ACLs) had nil ACLs, so the function short-circuited before
compiling any CapGrant rules. This meant cap/relay, cap/drive, and
any other App-based grant capabilities were silently ignored.

Check both ACLs and Grants are empty before returning FilterAllowAll.

Updates #2180
This commit is contained in:
Kristoffer Dalby
2026-03-23 08:22:26 +00:00
parent a739862c65
commit 8573ff9158
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
hscontrol/policy/v2/filter.go
View File

@@ -137,7 +137,7 @@ func (pol *Policy) compileFilterRules(
users types.Users,
nodes views.Slice[types.NodeView],
) ([]tailcfg.FilterRule, error) {
if pol == nil || pol.ACLs == nil {
if pol == nil || (pol.ACLs == nil && len(pol.Grants) == 0) {
return tailcfg.FilterAllowAll, nil
}