proxmox-mirrors/pve-access-control
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-access-control synced 2025-10-04 19:01:16 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

tfa list: account for admin permissions

Browse Source 
instead of restricting listing tfa entries of others to
root@pam, perform the same checks the user-list does and
which also reflect the permissions of the api calls actually
operating on those users, so, `User.Modify` on the user (but
also `Sys.Audit`, since it's only a read-operation, just
like the user index API call)

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
This commit is contained in:
Wolfgang Bumiller 2021-12-06 14:33:44 +01:00
parent dd9e95b187
commit dc7ef2401a
1 changed files with 16 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/PVE/API2/TFA.pm
View File

@ -374,10 +374,24 @@ __PACKAGE__->register_method ({
my $rpcenv = PVE::RPCEnvironment::get();
my $authuser = $rpcenv->get_user();
my $top_level_allowed = ($authuser eq 'root@pam');
my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
return $tfa_cfg->api_list_tfa($authuser, $top_level_allowed);
my $entries = $tfa_cfg->api_list_tfa($authuser, 1);
my $privs = [ 'User.Modify', 'Sys.Audit' ];
if ($rpcenv->check_any($authuser, "/access/groups", $privs, 1)) {
# can modify all
return $entries;
}
my $groups = $rpcenv->filter_groups($authuser, $privs, 1);
my $allowed_users = $rpcenv->group_member_join([keys %$groups]);
return [
grep {
my $userid = $_->{userid};
$userid eq $authuser || $allowed_users->{$userid}
} $entries->@*
];
}});
__PACKAGE__->register_method ({