]> git.proxmox.com Git - pve-storage.git/commitdiff
projects / pve-storage.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ef881e1)
PVE::Storage: new helper check_volume_access()
authorDietmar Maurer <dietmar@proxmox.com>
Wed, 18 Jan 2017 16:14:07 +0000 (17:14 +0100)
committerDietmar Maurer <dietmar@proxmox.com>
Thu, 19 Jan 2017 08:14:41 +0000 (09:14 +0100)
Copied from PVE::RPCEnvironment to avoid cyclic dependency
(pve-storgae => pve-access-control => pve-storage).

PVE/API2/Storage/Content.pm patch | blob | blame | history
PVE/CLI/pvesm.pm patch | blob | blame | history
PVE/Storage.pm patch | blob | blame | history

diff --git a/PVE/API2/Storage/Content.pm b/PVE/API2/Storage/Content.pm
index 47ef03b7c4df8ca845b0f1514e43e9abdc24f556..699823bf560a94cad864294a5a300a8ce0b27705 100644 (file)
--- a/PVE/API2/Storage/Content.pm
+++ b/PVE/API2/Storage/Content.pm
@@ -72,7 +72,7 @@ __PACKAGE__->register_method ({
 
        my $res = [];
        foreach my $item (@$vollist) {
-           eval { $rpcenv->check_volume_access($authuser, $cfg, undef, $item->{volid}); };
+           eval {  PVE::Storage::check_volume_access($rpcenv, $authuser, $cfg, undef, $item->{volid}); };
            next if $@;
            push @$res, $item;
        }
@@ -219,7 +219,7 @@ __PACKAGE__->register_method ({
 
        my $cfg = PVE::Storage::config();
 
-       $rpcenv->check_volume_access($authuser, $cfg, undef, $volid);
+       PVE::Storage::check_volume_access($rpcenv, $rpcenv->$authuser, $cfg, undef, $volid);
 
        my $path = PVE::Storage::path($cfg, $volid);
        my ($size, $format, $used, $parent) =  PVE::Storage::file_size_info($path);
diff --git a/PVE/CLI/pvesm.pm b/PVE/CLI/pvesm.pm
index 376781059e32fb57ed6c85b74c09a67a23b0b7ce..3b9943654cbeec90eaf3005b4414d8206669dbb9 100755 (executable)
--- a/PVE/CLI/pvesm.pm
+++ b/PVE/CLI/pvesm.pm
@@ -86,7 +86,7 @@ __PACKAGE__->register_method ({
        my $authuser = $rpcenv->get_user();
 
        my $storage_cfg = PVE::Storage::config();
-       $rpcenv->check_volume_access($authuser, $storage_cfg, undef, $volume);
+       PVE::Storage::check_volume_access($rpcenv, $authuser, $storage_cfg, undef, $volume);
 
        my $config_raw = PVE::Storage::extract_vzdump_config($storage_cfg, $volume);
 
diff --git a/PVE/Storage.pm b/PVE/Storage.pm
index 683c920ba1259d45236f41890348aa80b6def1c9..bfc34d40f6f36095e9a58577986623889a659484 100755 (executable)
--- a/PVE/Storage.pm
+++ b/PVE/Storage.pm
@@ -344,6 +344,32 @@ sub parse_volume_id {
     return PVE::Storage::Plugin::parse_volume_id($volid, $noerr);
 }
 
+# test if we have read access to volid
+sub check_volume_access {
+    my ($rpcenv, $user, $cfg, $vmid, $volid) = @_;
+
+    my ($sid, $volname) = parse_volume_id($volid, 1);
+    if ($sid) {
+       my ($vtype, undef, $ownervm) = parse_volname($cfg, $volid);
+       if ($vtype eq 'iso' || $vtype eq 'vztmpl') {
+           # we simply allow access
+       } elsif (defined($ownervm) && defined($vmid) && ($ownervm == $vmid)) {
+           # we are owner - allow access
+       } elsif ($vtype eq 'backup' && $ownervm) {
+           $rpcenv->check($user, "/storage/$sid", ['Datastore.AllocateSpace']);
+           $rpcenv->check($user, "/vms/$ownervm", ['VM.Backup']);
+       } else {
+           # allow if we are Datastore administrator
+           $rpcenv->check($user, "/storage/$sid", ['Datastore.Allocate']);
+       }
+    } else {
+       die "Only root can pass arbitrary filesystem paths."
+           if $user ne 'root@pam';
+    }
+
+    return undef;
+}
+
 my $volume_is_base_and_used__no_lock = sub {
     my ($scfg, $storeid, $plugin, $volname) = @_;
 
Storage library