check volume access: always allow with Datastore.Allocate privilege

Such users are supposed to be administrators of the storage, but
previously, access to backups was not allowed when not also having
VM.Backup.

Suggested-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Signed-off-by: Fabian Ebner <f.ebner@proxmox.com>

diff --git a/PVE/Storage.pm b/PVE/Storage.pm
index 6112991bfb5597ef7ec647e5b6ef00b5ae781a0b..0349564b247b82698282c91db8028672a3009e22 100755 (executable)
--- a/PVE/Storage.pm
+++ b/PVE/Storage.pm
@@ -477,6 +477,8 @@ sub check_volume_access {
 
     my ($sid, $volname) = parse_volume_id($volid, 1);
     if ($sid) {
+       return if $rpcenv->check($user, "/storage/$sid", ['Datastore.Allocate'], 1);
+
        my ($vtype, undef, $ownervm) = parse_volname($cfg, $volid);
        if ($vtype eq 'iso' || $vtype eq 'vztmpl') {
            # require at least read access to storage, (custom) templates/ISOs could be sensitive
@@ -487,8 +489,7 @@ sub check_volume_access {
            $rpcenv->check($user, "/storage/$sid", ['Datastore.AllocateSpace']);
            $rpcenv->check($user, "/vms/$ownervm", ['VM.Backup']);
        } else {
-           # allow if we are Datastore administrator
-           $rpcenv->check($user, "/storage/$sid", ['Datastore.Allocate']);
+           die "missing privileges to access $volid\n";
        }
     } else {
        die "Only root can pass arbitrary filesystem paths."