From 1f6610f3864201da9e26dfd4fc42b78c40dfb0ad Mon Sep 17 00:00:00 2001
From: Dietmar Maurer <dietmar@proxmox.com>
Date: Mon, 6 Feb 2012 10:10:55 +0100
Subject: [PATCH] fix upload permissions. Only allow iso/tmpl upload.

---
 PVE/API2/Storage/Status.pm | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/PVE/API2/Storage/Status.pm b/PVE/API2/Storage/Status.pm
index 9e5790a..f9178a7 100644
--- a/PVE/API2/Storage/Status.pm
+++ b/PVE/API2/Storage/Status.pm
@@ -250,13 +250,15 @@ __PACKAGE__->register_method ({
 	    $param->{timeframe}, $param->{cf});	      
     }});
 
+# makes no sense for big images and backup files (because it 
+# create a copy of the file).
 __PACKAGE__->register_method ({
     name => 'upload',
     path => '{storage}/upload', 
     method => 'POST',
-    description => "Upload file.",
+    description => "Upload templates and ISO images.",
     permissions => { 
-	check => ['perm', '/storage/{storage}', ['Datastore.AllocateSpace']],
+	check => ['perm', '/storage/{storage}', ['Datastore.AllocateTemplate']],
     },
     protected => 1,
     parameters => {
@@ -321,13 +323,8 @@ __PACKAGE__->register_method ({
 		raise_param_exc({ filename => "missing '.tar.gz' extension" });
 	    }
 	    $path = PVE::Storage::get_vztmpl_dir($cfg, $param->{storage});
-	} elsif ($content eq 'backup') {
-	    if ($filename !~  m!/([^/]+\.(tar|tgz))$!) {
-		raise_param_exc({ filename => "missing '.(tar|tgz)' extension" });
-	    }
-	    $path = PVE::Storage::get_backup_dir($cfg, $param->{storage});
 	} else {
-	    raise_param_exc({ content => "upload content type '$content' not implemented" });
+	    raise_param_exc({ content => "upload content type '$content' not allowed" });
 	}
 
 	die "storage '$param->{storage}' does not support '$content' content\n" 
-- 
2.39.2