From c9078b189cce2594573c589f638a6978e63a92e6 Mon Sep 17 00:00:00 2001 From: Christian Ebner Date: Mon, 11 Nov 2024 16:43:42 +0100 Subject: [PATCH] api: config: factor out sync job owner check Move the sync job owner check to its own helper function, for it to be reused for the owner check for sync jobs in push direction. No functional change intended. Signed-off-by: Christian Ebner --- src/api2/config/sync.rs | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/src/api2/config/sync.rs b/src/api2/config/sync.rs index 38325f5b..3963049e 100644 --- a/src/api2/config/sync.rs +++ b/src/api2/config/sync.rs @@ -14,6 +14,7 @@ use pbs_api_types::{ use pbs_config::sync; use pbs_config::CachedUserInfo; +use pbs_datastore::check_backup_owner; pub fn check_sync_job_read_access( user_info: &CachedUserInfo, @@ -34,6 +35,14 @@ pub fn check_sync_job_read_access( } } +fn is_correct_owner(auth_id: &Authid, job: &SyncJobConfig) -> bool { + match job.owner { + Some(ref owner) => check_backup_owner(owner, auth_id).is_ok(), + // default sync owner + None => auth_id == Authid::root_auth_id(), + } +} + /// checks whether user can run the corresponding pull job /// /// namespace creation/deletion ACL and backup group ownership checks happen in the pull code directly. @@ -54,17 +63,8 @@ pub fn check_sync_job_modify_access( } } - let correct_owner = match job.owner { - Some(ref owner) => { - owner == auth_id - || (owner.is_token() && !auth_id.is_token() && owner.user() == auth_id.user()) - } - // default sync owner - None => auth_id == Authid::root_auth_id(), - }; - // same permission as changing ownership after syncing - if !correct_owner && ns_anchor_privs & PRIV_DATASTORE_MODIFY == 0 { + if !is_correct_owner(auth_id, job) && ns_anchor_privs & PRIV_DATASTORE_MODIFY == 0 { return false; }