mirror of
https://git.proxmox.com/git/pve-manager
synced 2025-08-17 12:08:28 +00:00
add/improve pool permission check
This commit is contained in:
Dietmar Maurer
parent
00267e948d
commit
a285f01438
@ -162,7 +162,7 @@ __PACKAGE__->register_method({
|
|||||||
foreach my $pool (keys %{$usercfg->{pools}}) {
|
foreach my $pool (keys %{$usercfg->{pools}}) {
|
||||||
my $d = $usercfg->{pools}->{$pool};
|
my $d = $usercfg->{pools}->{$pool};
|
||||||
|
|
||||||
next if !$rpcenv->check($authuser, "/pool/$pool", [ 'VM.Audit' ], 1);
|
next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Allocate' ], 1);
|
||||||
|
|
||||||
my $entry = {
|
my $entry = {
|
||||||
id => "/pool/$pool",
|
id => "/pool/$pool",
|
||||||
@ -180,8 +180,6 @@ __PACKAGE__->register_method({
|
|||||||
if (!$param->{type} || $param->{type} eq 'vm') {
|
if (!$param->{type} || $param->{type} eq 'vm') {
|
||||||
foreach my $vmid (keys %$idlist) {
|
foreach my $vmid (keys %$idlist) {
|
||||||
|
|
||||||
next if !$rpcenv->check($authuser, "/vms/$vmid", [ 'VM.Audit' ], 1);
|
|
||||||
|
|
||||||
my $data = $idlist->{$vmid};
|
my $data = $idlist->{$vmid};
|
||||||
my $entry = PVE::API2Tools::extract_vm_stats($vmid, $data, $rrd);
|
my $entry = PVE::API2Tools::extract_vm_stats($vmid, $data, $rrd);
|
||||||
if (defined($entry->{uptime})) {
|
if (defined($entry->{uptime})) {
|
||||||
@ -200,6 +198,8 @@ __PACKAGE__->register_method({
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
next if !$rpcenv->check($authuser, "/vms/$vmid", [ 'VM.Audit' ], 1);
|
||||||
|
|
||||||
push @$res, $entry;
|
push @$res, $entry;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -23,6 +23,7 @@ __PACKAGE__->register_method ({
|
|||||||
method => 'GET',
|
method => 'GET',
|
||||||
description => "Pool index.",
|
description => "Pool index.",
|
||||||
permissions => {
|
permissions => {
|
||||||
|
description => "List all pools where you have Pool.Allocate permissions on /pool/<pool>.",
|
||||||
user => 'all',
|
user => 'all',
|
||||||
},
|
},
|
||||||
parameters => {
|
parameters => {
|
||||||
@ -43,12 +44,15 @@ __PACKAGE__->register_method ({
|
|||||||
my ($param) = @_;
|
my ($param) = @_;
|
||||||
|
|
||||||
my $rpcenv = PVE::RPCEnvironment::get();
|
my $rpcenv = PVE::RPCEnvironment::get();
|
||||||
|
my $authuser = $rpcenv->get_user();
|
||||||
|
|
||||||
my $res = [];
|
my $res = [];
|
||||||
|
|
||||||
my $usercfg = $rpcenv->{user_cfg};
|
my $usercfg = $rpcenv->{user_cfg};
|
||||||
|
|
||||||
foreach my $pool (keys %{$usercfg->{pools}}) {
|
foreach my $pool (keys %{$usercfg->{pools}}) {
|
||||||
|
next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Allocate' ], 1);
|
||||||
|
|
||||||
my $entry = { poolid => $pool };
|
my $entry = { poolid => $pool };
|
||||||
my $data = $usercfg->{pools}->{$pool};
|
my $data = $usercfg->{pools}->{$pool};
|
||||||
$entry->{comment} = $data->{comment} if defined($data->{comment});
|
$entry->{comment} = $data->{comment} if defined($data->{comment});
|
||||||
@ -64,7 +68,7 @@ __PACKAGE__->register_method ({
|
|||||||
path => '',
|
path => '',
|
||||||
method => 'POST',
|
method => 'POST',
|
||||||
permissions => {
|
permissions => {
|
||||||
check => ['perm', '/access', ['Sys.Modify']],
|
check => ['perm', '/pool/{poolid}', ['Pool.Allocate']],
|
||||||
},
|
},
|
||||||
description => "Create new pool.",
|
description => "Create new pool.",
|
||||||
parameters => {
|
parameters => {
|
||||||
@ -104,7 +108,8 @@ __PACKAGE__->register_method ({
|
|||||||
path => '{poolid}',
|
path => '{poolid}',
|
||||||
method => 'PUT',
|
method => 'PUT',
|
||||||
permissions => {
|
permissions => {
|
||||||
check => ['perm', '/access', ['Sys.Modify']],
|
description => "You aslo need the right to modify permissions on any object you add/delete.",
|
||||||
|
check => ['perm', '/pool/{poolid}', ['Pool.Allocate']],
|
||||||
},
|
},
|
||||||
description => "Update pool data.",
|
description => "Update pool data.",
|
||||||
parameters => {
|
parameters => {
|
||||||
@ -133,6 +138,9 @@ __PACKAGE__->register_method ({
|
|||||||
code => sub {
|
code => sub {
|
||||||
my ($param) = @_;
|
my ($param) = @_;
|
||||||
|
|
||||||
|
my $rpcenv = PVE::RPCEnvironment::get();
|
||||||
|
my $authuser = $rpcenv->get_user();
|
||||||
|
|
||||||
PVE::AccessControl::lock_user_config(
|
PVE::AccessControl::lock_user_config(
|
||||||
sub {
|
sub {
|
||||||
|
|
||||||
@ -149,6 +157,7 @@ __PACKAGE__->register_method ({
|
|||||||
|
|
||||||
if (defined($param->{vms})) {
|
if (defined($param->{vms})) {
|
||||||
foreach my $vmid (PVE::Tools::split_list($param->{vms})) {
|
foreach my $vmid (PVE::Tools::split_list($param->{vms})) {
|
||||||
|
$rpcenv->check_perm_modify($authuser, "/vms/$vmid");
|
||||||
if ($param->{delete}) {
|
if ($param->{delete}) {
|
||||||
die "VM $vmid is not a pool member\n"
|
die "VM $vmid is not a pool member\n"
|
||||||
if !$data->{vms}->{$vmid};
|
if !$data->{vms}->{$vmid};
|
||||||
@ -168,6 +177,7 @@ __PACKAGE__->register_method ({
|
|||||||
|
|
||||||
if (defined($param->{storage})) {
|
if (defined($param->{storage})) {
|
||||||
foreach my $storeid (PVE::Tools::split_list($param->{storage})) {
|
foreach my $storeid (PVE::Tools::split_list($param->{storage})) {
|
||||||
|
$rpcenv->check_perm_modify($authuser, "/storage/$storeid");
|
||||||
if ($param->{delete}) {
|
if ($param->{delete}) {
|
||||||
die "Storage '$storeid' is not a pool member\n"
|
die "Storage '$storeid' is not a pool member\n"
|
||||||
if !$data->{storage}->{$storeid};
|
if !$data->{storage}->{$storeid};
|
||||||
@ -192,9 +202,9 @@ __PACKAGE__->register_method ({
|
|||||||
path => '{poolid}',
|
path => '{poolid}',
|
||||||
method => 'GET',
|
method => 'GET',
|
||||||
permissions => {
|
permissions => {
|
||||||
check => ['perm', '/access', ['Sys.Audit']],
|
check => ['perm', '/pool/{poolid}', ['Pool.Allocate']],
|
||||||
},
|
},
|
||||||
description => "Get group configuration.",
|
description => "Get pool configuration.",
|
||||||
parameters => {
|
parameters => {
|
||||||
additionalProperties => 0,
|
additionalProperties => 0,
|
||||||
properties => {
|
properties => {
|
||||||
@ -274,9 +284,10 @@ __PACKAGE__->register_method ({
|
|||||||
path => '{poolid}',
|
path => '{poolid}',
|
||||||
method => 'DELETE',
|
method => 'DELETE',
|
||||||
permissions => {
|
permissions => {
|
||||||
check => ['perm', '/access', ['Sys.Modify']],
|
description => "You can only delete empty pools (no members).",
|
||||||
|
check => ['perm', '/pool/{poolid}', ['Pool.Allocate']],
|
||||||
},
|
},
|
||||||
description => "Delete group.",
|
description => "Delete pool.",
|
||||||
parameters => {
|
parameters => {
|
||||||
additionalProperties => 0,
|
additionalProperties => 0,
|
||||||
properties => {
|
properties => {
|
||||||
@ -287,6 +298,9 @@ __PACKAGE__->register_method ({
|
|||||||
code => sub {
|
code => sub {
|
||||||
my ($param) = @_;
|
my ($param) = @_;
|
||||||
|
|
||||||
|
my $rpcenv = PVE::RPCEnvironment::get();
|
||||||
|
my $authuser = $rpcenv->get_user();
|
||||||
|
|
||||||
PVE::AccessControl::lock_user_config(
|
PVE::AccessControl::lock_user_config(
|
||||||
sub {
|
sub {
|
||||||
|
|
||||||
@ -298,7 +312,10 @@ __PACKAGE__->register_method ({
|
|||||||
|
|
||||||
die "pool '$pool' does not exist\n"
|
die "pool '$pool' does not exist\n"
|
||||||
if !$data;
|
if !$data;
|
||||||
|
|
||||||
|
die "pool '$pool' is not empty\n"
|
||||||
|
if scalar (keys %{$data->{vms}}) || scalar(keys %{$data->{storage}});
|
||||||
|
|
||||||
delete ($usercfg->{pools}->{$pool});
|
delete ($usercfg->{pools}->{$pool});
|
||||||
|
|
||||||
PVE::AccessControl::delete_pool_acl($pool, $usercfg);
|
PVE::AccessControl::delete_pool_acl($pool, $usercfg);
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user