diff --git a/pbs-api-types/src/jobs.rs b/pbs-api-types/src/jobs.rs index 5dbfe49c..d3739315 100644 --- a/pbs-api-types/src/jobs.rs +++ b/pbs-api-types/src/jobs.rs @@ -223,6 +223,15 @@ pub struct VerificationJobConfig { pub max_depth: Option, } +impl VerificationJobConfig { + pub fn store_with_ns(&self) -> DatastoreWithNamespace { + DatastoreWithNamespace { + store: self.store.clone(), + ns: self.ns.clone().unwrap_or_default(), + } + } +} + #[api( properties: { config: { diff --git a/src/api2/admin/verify.rs b/src/api2/admin/verify.rs index ebdf2d19..717db3a6 100644 --- a/src/api2/admin/verify.rs +++ b/src/api2/admin/verify.rs @@ -58,7 +58,7 @@ pub fn list_verification_jobs( .convert_to_typed_array("verification")? .into_iter() .filter(|job: &VerificationJobConfig| { - let privs = user_info.lookup_privs(&auth_id, &["datastore", &job.store]); + let privs = user_info.lookup_privs(&auth_id, &job.store_with_ns().acl_path()); if privs & required_privs == 0 { return false; } @@ -114,9 +114,11 @@ pub fn run_verification_job( let (config, _digest) = verify::config()?; let verification_job: VerificationJobConfig = config.lookup("verification", &id)?; + let store_with_ns = verification_job.store_with_ns(); + user_info.check_privs( &auth_id, - &["datastore", &verification_job.store], + &store_with_ns.acl_path(), PRIV_DATASTORE_VERIFY, true, )?; diff --git a/src/api2/config/verify.rs b/src/api2/config/verify.rs index b7d1ffd4..98204f6e 100644 --- a/src/api2/config/verify.rs +++ b/src/api2/config/verify.rs @@ -45,7 +45,7 @@ pub fn list_verification_jobs( let list = list .into_iter() .filter(|job: &VerificationJobConfig| { - let privs = user_info.lookup_privs(&auth_id, &["datastore", &job.store]); + let privs = user_info.lookup_privs(&auth_id, &job.store_with_ns().acl_path()); privs & required_privs != 00 }) @@ -81,7 +81,7 @@ pub fn create_verification_job( user_info.check_privs( &auth_id, - &["datastore", &config.store], + &config.store_with_ns().acl_path(), PRIV_DATASTORE_VERIFY, false, )?; @@ -132,7 +132,7 @@ pub fn read_verification_job( let required_privs = PRIV_DATASTORE_AUDIT | PRIV_DATASTORE_VERIFY; user_info.check_privs( &auth_id, - &["datastore", &verification_job.store], + &verification_job.store_with_ns().acl_path(), required_privs, true, )?; @@ -215,10 +215,10 @@ pub fn update_verification_job( let mut data: VerificationJobConfig = config.lookup("verification", &id)?; - // check existing store + // check existing store and NS user_info.check_privs( &auth_id, - &["datastore", &data.store], + &data.store_with_ns().acl_path(), PRIV_DATASTORE_VERIFY, true, )?; @@ -258,13 +258,6 @@ pub fn update_verification_job( } if let Some(store) = update.store { - // check new store - user_info.check_privs( - &auth_id, - &["datastore", &store], - PRIV_DATASTORE_VERIFY, - true, - )?; data.store = store; } @@ -289,6 +282,14 @@ pub fn update_verification_job( } } + // check new store and NS + user_info.check_privs( + &auth_id, + &data.store_with_ns().acl_path(), + PRIV_DATASTORE_VERIFY, + true, + )?; + config.set_data(&id, "verification", &data)?; verify::save_config(&config)?; @@ -334,7 +335,7 @@ pub fn delete_verification_job( let job: VerificationJobConfig = config.lookup("verification", &id)?; user_info.check_privs( &auth_id, - &["datastore", &job.store], + &job.store_with_ns().acl_path(), PRIV_DATASTORE_VERIFY, true, )?;