use crate::api2::backup::optional_ns_param;
use crate::api2::node::rrd::create_value_from_rrd;
use crate::backup::{
- can_access_any_namespace, check_ns_privs_full, verify_all_backups, verify_backup_dir,
- verify_backup_group, verify_filter, ListAccessibleBackupGroups,
+ check_ns_privs_full, verify_all_backups, verify_backup_dir, verify_backup_group, verify_filter,
+ ListAccessibleBackupGroups, NS_PRIVS_OK,
};
use crate::server::jobstate::Job;
};
let snapshot_count = group.list_backups()?.len() as u64;
- // only include groups with snapshots, counting/displaying emtpy groups can confuse
+ // only include groups with snapshots, counting/displaying empty groups can confuse
if snapshot_count > 0 {
let type_count = match group.backup_type() {
BackupType::Ct => counts.ct.get_or_insert(Default::default()),
true
} else if store_privs & PRIV_DATASTORE_READ != 0 {
false // allow at least counts, user can read groups anyway..
- } else if let Ok(ref datastore) = datastore {
- if !can_access_any_namespace(Arc::clone(datastore), &auth_id, &user_info) {
- return Err(http_err!(FORBIDDEN, "permission check failed"));
- }
- false
} else {
- return Err(http_err!(FORBIDDEN, "permission check failed")); // avoid leaking existance info
+ match user_info.any_privs_below(&auth_id, &["datastore", &store], NS_PRIVS_OK) {
+ // avoid leaking existence info if users hasn't at least any priv. below
+ Ok(false) | Err(_) => return Err(http_err!(FORBIDDEN, "permission check failed")),
+ _ => false,
+ }
};
- let datastore = datastore?; // only unwrap no to avoid leaking existance info
+ let datastore = datastore?; // only unwrap no to avoid leaking existence info
let (counts, gc_status) = if verbose {
let filter_owner = if store_privs & PRIV_DATASTORE_AUDIT != 0 {
};
Ok(if store_stats {
- let storage = crate::tools::disks::disk_usage(&datastore.base_path())?;
+ let storage = proxmox_sys::fs::fs_info(&datastore.base_path())?;
DataStoreStatus {
total: storage.total,
used: storage.used,
- avail: storage.avail,
+ avail: storage.available,
gc_status,
counts,
}
let mut list = Vec::new();
for (store, (_, data)) in &config.sections {
- let user_privs = user_info.lookup_privs(&auth_id, &["datastore", store]);
+ let acl_path = &["datastore", store];
+ let user_privs = user_info.lookup_privs(&auth_id, acl_path);
let allowed = (user_privs & (PRIV_DATASTORE_AUDIT | PRIV_DATASTORE_BACKUP)) != 0;
let mut allow_id = false;
if !allowed {
- let scfg: pbs_api_types::DataStoreConfig = serde_json::from_value(data.to_owned())?;
- // safety: we just cannot go through lookup as we must avoid an operation check
- if let Ok(datastore) = unsafe { DataStore::open_from_config(scfg, None) } {
- allow_id = can_access_any_namespace(datastore, &auth_id, &user_info);
+ if let Ok(any_privs) = user_info.any_privs_below(&auth_id, acl_path, NS_PRIVS_OK) {
+ allow_id = any_privs;
}
}