if ($method eq 'POST' && $rel_uri =~ m|^/nodes/([^/]+)/storage/([^/]+)/upload$|) {
my ($node, $storeid) = ($1, $2);
- my $perm = {
- path => "/storage/$storeid",
- privs => [ 'Datastore.AllocateSpace' ],
- };
+ # we disable CSRF checks if $isUpload is set,
+ # to improve security we check user upload permission here
+ my $perm = { check => ['perm', "/storage/$storeid", ['Datastore.AllocateTemplate']] };
$rpcenv->check_api2_permissions($perm, $username, {});
$isUpload = 1;
}
+pve-manager (2.0-33) unstable; urgency=low
+
+ * fix file upload permission checks
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 09:14:05 +0100
+
pve-manager (2.0-32) unstable; urgency=low
* added French translation