mirror of
https://git.proxmox.com/git/pve-manager
synced 2025-08-03 13:30:25 +00:00
fix #3402: add Pool.Audit permission
everywhere where Pool.Allocate was unnecessarly used it was replaced with Pool.Audit. `/cluster/resources` now returns pool infomation for guests only if the requesting user has the Pool.Audit permission on the pool. `/pool/` now returns only pools where the requesting user has the Pool.Audit permission. Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
This commit is contained in:
parent
027f67e46d
commit
91db3ececc
@ -332,7 +332,7 @@ __PACKAGE__->register_method({
|
||||
for my $pool (sort keys %{$usercfg->{pools}}) {
|
||||
my $d = $usercfg->{pools}->{$pool};
|
||||
|
||||
next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Allocate' ], 1);
|
||||
next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Audit' ], 1);
|
||||
|
||||
my $entry = {
|
||||
id => "/pool/$pool",
|
||||
@ -384,6 +384,11 @@ __PACKAGE__->register_method({
|
||||
$entry->{lock} = $lock;
|
||||
}
|
||||
|
||||
if (defined($entry->{pool}) &&
|
||||
!$rpcenv->check($authuser, "/pool/$entry->{pool}", ['Pool.Audit'], 1)) {
|
||||
delete $entry->{pool};
|
||||
}
|
||||
|
||||
# get ha status
|
||||
if (my $hatype = $hatypemap->{$entry->{type}}) {
|
||||
my $sid = "$hatype:$vmid";
|
||||
|
@ -22,7 +22,7 @@ __PACKAGE__->register_method ({
|
||||
method => 'GET',
|
||||
description => "Pool index.",
|
||||
permissions => {
|
||||
description => "List all pools where you have Pool.Allocate or VM.Allocate permissions on /pool/<pool>.",
|
||||
description => "List all pools where you have Pool.Audit permissions on /pool/<pool>.",
|
||||
user => 'all',
|
||||
},
|
||||
parameters => {
|
||||
@ -47,9 +47,10 @@ __PACKAGE__->register_method ({
|
||||
|
||||
my $usercfg = $rpcenv->{user_cfg};
|
||||
|
||||
|
||||
my $res = [];
|
||||
for my $pool (sort keys %{$usercfg->{pools}}) {
|
||||
next if !$rpcenv->check_any($authuser, "/pool/$pool", [ 'Pool.Allocate', 'VM.Allocate' ], 1);
|
||||
next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Audit' ], 1);
|
||||
|
||||
my $entry = { poolid => $pool };
|
||||
my $pool_config = $usercfg->{pools}->{$pool};
|
||||
@ -200,7 +201,7 @@ __PACKAGE__->register_method ({
|
||||
path => '{poolid}',
|
||||
method => 'GET',
|
||||
permissions => {
|
||||
check => ['perm', '/pool/{poolid}', ['Pool.Allocate']],
|
||||
check => ['perm', '/pool/{poolid}', ['Pool.Audit']],
|
||||
},
|
||||
description => "Get pool configuration.",
|
||||
parameters => {
|
||||
|
@ -226,7 +226,7 @@ __PACKAGE__->register_method ({
|
||||
|
||||
my $pool = $res->{pool};
|
||||
if (defined($pool) &&
|
||||
!$rpcenv->check($authuser, "/pool/$pool", ['Pool.Allocate'], 1)) {
|
||||
!$rpcenv->check($authuser, "/pool/$pool", ['Pool.Audit'], 1)) {
|
||||
delete $res->{pool};
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user