api: nodes/subscription: implement reasonable access rights

Allow users which have Sys.Audit on a specific node to get the
subscription status and those with Sys.Modify to set and check
(update) it.

This mirrors the required permissions from other node specific
actions, e.g., APT (package management).

We always showed the Subscription Panel and all its elements in the
WebUI, so no need for change there.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

diff --git a/PVE/API2/Subscription.pm b/PVE/API2/Subscription.pm
index bedc6a5b7ee4a37706159a3a6dec2d9171b3c330..9d24dce866ce560e230448b0ea7688980a831835 100644 (file)
--- a/PVE/API2/Subscription.pm
+++ b/PVE/API2/Subscription.pm
@@ -91,6 +91,9 @@ __PACKAGE__->register_method ({
     name => 'get',
     path => '',
     method => 'GET',
+    permissions => {
+       check => ['perm', '/nodes/{node}', [ 'Sys.Audit' ]],
+    },
     description => "Read subscription info.",
     proxyto => 'node',
     permissions => { user => 'all' },
@@ -128,6 +131,9 @@ __PACKAGE__->register_method ({
     name => 'update',
     path => '',
     method => 'POST',
+    permissions => {
+       check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
+    },
     description => "Update subscription info.",
     proxyto => 'node',
     protected => 1,
@@ -179,6 +185,9 @@ __PACKAGE__->register_method ({
     name => 'set',
     path => '',
     method => 'PUT',
+    permissions => {
+       check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
+    },
     description => "Set subscription key.",
     proxyto => 'node',
     protected => 1,