From 00cc94d33e9c4e35f6a93fde3e71b5f56c7bf00d Mon Sep 17 00:00:00 2001
From: Dietmar Maurer <dietmar@proxmox.com>
Date: Mon, 6 Feb 2012 09:33:57 +0100
Subject: [PATCH] add permissions for task API

---
 PVE/API2/Tasks.pm | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/PVE/API2/Tasks.pm b/PVE/API2/Tasks.pm
index 79070df4..2c43adba 100644
--- a/PVE/API2/Tasks.pm
+++ b/PVE/API2/Tasks.pm
@@ -19,7 +19,10 @@ __PACKAGE__->register_method({
     name => 'node_tasks', 
     path => '', 
     method => 'GET',
-    permissions => { user => 'all' },
+    permissions => { 
+	description => "List task associated with the current user, or all task the user has 'Sys.Audit' permissions on /nodes/<node> (the <node> the task runs on).",
+	user => 'all' 
+    },
     description => "Read task list for one node (finished tasks).",
     proxyto => 'node',
     parameters => {
@@ -153,7 +156,10 @@ __PACKAGE__->register_method({
     path => '{upid}', 
     method => 'DELETE',
     description => 'Stop a task.',
-    permissions => { user => 'all' },
+    permissions => { 
+	description => "The user needs 'Sys.Modify' permissions on '/nodes/<node>' if the task does not belong to him.",
+	user => 'all', 
+    },
     protected => 1,
     proxyto => 'node',
     parameters => {
@@ -176,7 +182,7 @@ __PACKAGE__->register_method({
 	my $node = $param->{node};
 
 	if ($user ne $task->{user}) {
-	    $rpcenv->check($user, "/nodes/$node", [ 'Sys.Console' ]);
+	    $rpcenv->check($user, "/nodes/$node", [ 'Sys.Modify' ]);
 	}
 
 	PVE::RPCEnvironment::check_worker($param->{upid}, 1);
@@ -188,7 +194,10 @@ __PACKAGE__->register_method({
     name => 'read_task_log', 
     path => '{upid}/log', 
     method => 'GET',
-    permissions => { user => 'all' },
+    permissions => { 
+	description => "The user needs 'Sys.Audit' permissions on '/nodes/<node>' if the task does not belong to him.",
+	user => 'all',
+    },
     protected => 1,
     description => "Read task log.",
     proxyto => 'node',
@@ -274,7 +283,10 @@ __PACKAGE__->register_method({
     name => 'read_task_status', 
     path => '{upid}/status', 
     method => 'GET',
-    permissions => { user => 'all' },
+    permissions => { 
+	description => "The user needs 'Sys.Audit' permissions on '/nodes/<node>' if the task does not belong to him.",
+	user => 'all',
+    },
     protected => 1,
     description => "Read task status.",
     proxyto => 'node',