proxmox-mirrors/pve-manager
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-manager synced 2025-07-16 17:40:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

api: backup: update: check permissions of delete params too

Browse Source 
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
This commit is contained in:
Fiona Ebner 2022-11-16 15:04:33 +01:00 committed by Thomas Lamprecht
parent 659032f48e
commit 9f65a584b7
1 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
PVE/API2/Backup.pm
View File

@ -54,6 +54,14 @@ sub assert_param_permission_common {
}
}
my sub assert_param_permission_update {
my ($rpcenv, $user, $update, $delete) = @_;
return if $user eq 'root@pam'; # always OK
assert_param_permission_common($rpcenv, $user, $update);
assert_param_permission_common($rpcenv, $user, $delete);
}
my $convert_to_schedule = sub {
my ($job) = @_;
@ -424,8 +432,6 @@ __PACKAGE__->register_method({
my $rpcenv = PVE::RPCEnvironment::get();
my $user = $rpcenv->get_user();
assert_param_permission_common($rpcenv, $user, $param);
if (my $pool = $param->{pool}) {
$rpcenv->check_pool_exist($pool);
$rpcenv->check($user, "/pool/$pool", ['VM.Backup']);
@ -437,6 +443,8 @@ __PACKAGE__->register_method({
my $delete = extract_param($param, 'delete');
$delete = { map { $_ => 1 } PVE::Tools::split_list($delete) } if $delete;
assert_param_permission_update($rpcenv, $user, $param, $delete);
my $update_job = sub {
my $data = cfs_read_file('vzdump.cron');
my $jobs_data = cfs_read_file('jobs.cfg');