network permissions: implement checks

[pve-container.git] / src / PVE / LXC / Create.pm

diff --git a/src/PVE/LXC/Create.pm b/src/PVE/LXC/Create.pm
index b2e3d00a0d24248197177aff09282b26d5da8ec8..981f92d5a78686407aa24c9abbce01359034e603 100644 (file)
--- a/src/PVE/LXC/Create.pm
+++ b/src/PVE/LXC/Create.pm
@@ -325,6 +325,7 @@ sub sanitize_and_merge_config {
     my ($conf, $oldconf, $restricted, $unique) = @_;
 
     my $rpcenv = PVE::RPCEnvironment::get();
+    my $authuser = $rpcenv->get_user();
 
     foreach my $key (keys %$oldconf) {
        next if $key eq 'digest' || $key eq 'rootfs' || $key eq 'snapshots' || $key eq 'unprivileged' || $key eq 'parent';
@@ -354,6 +355,10 @@ sub sanitize_and_merge_config {
            next;
        }
 
+       if ($key =~ /^net\d+$/ && !defined($conf->{$key})) {
+           PVE::LXC::check_bridge_access($rpcenv, $authuser, $oldconf->{$key});
+       }
+
        if ($unique && $key =~ /^net\d+$/) {
            my $net = PVE::LXC::Config->parse_lxc_network($oldconf->{$key});
            my $dc = PVE::Cluster::cfs_read_file('datacenter.cfg');