From 138ecc60faff3ccfed2b5840ef448fc722d52320 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= Date: Tue, 5 Nov 2024 09:30:39 +0100 Subject: [PATCH] api: permissions: allow users to check their own tokens MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit even if they lack Sys.Audit on /access - since tokens are self-service, checking whether the ACLs work as expected should also be doable for every user. Signed-off-by: Fabian Grünbichler Tested-by: Daniel Kral --- src/PVE/API2/AccessControl.pm | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/PVE/API2/AccessControl.pm b/src/PVE/API2/AccessControl.pm index 157a5ee..7fcf6fb 100644 --- a/src/PVE/API2/AccessControl.pm +++ b/src/PVE/API2/AccessControl.pm @@ -460,7 +460,11 @@ __PACKAGE__->register_method({ method => 'GET', description => 'Retrieve effective permissions of given user/token.', permissions => { - description => "Each user/token is allowed to dump their own permissions. A user can dump the permissions of another user if they have 'Sys.Audit' permission on /access.", + description => "Each user/token is allowed to dump their own ". + "permissions (or that of owned tokens). A user ". + "can dump the permissions of another user or ". + "their tokens if they have 'Sys.Audit' permission ". + "on /access.", user => 'all', }, parameters => { @@ -491,7 +495,11 @@ __PACKAGE__->register_method({ my $userid = $param->{userid}; $userid = $authid if !defined($userid); - if ($userid ne $authid) { + my ($user, $token) = PVE::AccessControl::split_tokenid($userid, 1); + my $check_self = $userid eq $authid; + my $check_owned_token = defined($user) && $user eq $authid; + + if (!($check_self || $check_owned_token)) { $rpcenv->check($rpcenv->get_user(), '/access', ['Sys.Audit']); } my $res;