From 63f71d62c8b7e836e28bdf8df1c5a1bd36c72d7b Mon Sep 17 00:00:00 2001
From: Stefan Hanreich <s.hanreich@proxmox.com>
Date: Wed, 16 Jul 2025 15:07:55 +0200
Subject: [PATCH] permissions: add ACL paths for SDN fabrics

Add permission path /sdn/fabrics/{fabric_id}. There are currently only
SDN-specific permissions for the fabric itself, not the nodes. For
displaying / editing the nodes, the existing permissions Sys.Audit or
Sys.Modify on /nodes/{node} are required, because they are already
used for viewing / editing the network configuration of a node.

The node settings mostly revolve around configuring IPs and network
interfaces on that node, so we decided to stick with the permission
that is already governing that, since it would need to be checked when
editing a node anyway. Otherwise, users with access to a fabric node
could change parts of the network configuration of arbitrary
interfaces that node, circumventing the current permission checks. A
separate, SDN-specific, permission would not add much benefit because
of that.

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
Link: https://lore.proxmox.com/20250716130837.585796-35-g.goller@proxmox.com
---
 src/PVE/AccessControl.pm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index 7cd9129..cebb76f 100644
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -1285,6 +1285,8 @@ sub check_path {
 	|/sdn/controllers/[[:alnum:]\_\-]+
 	|/sdn/dns
 	|/sdn/dns/[[:alnum:]]+
+	|/sdn/fabrics
+	|/sdn/fabrics/[[:alnum:]]+
 	|/sdn/ipams
 	|/sdn/ipams/[[:alnum:]]+
 	|/sdn/zones