src/config/acl.rs: introduce more/better datastore privileges

[proxmox-backup.git] / src / api2 / pull.rs

diff --git a/src/api2/pull.rs b/src/api2/pull.rs
index b8d47901f4bd7326f611104c9a04dbc7c23e1588..8e989275f816d852fb2b6870a35e618fcf8e6d71 100644 (file)
--- a/src/api2/pull.rs
+++ b/src/api2/pull.rs
@@ -16,7 +16,7 @@ use crate::backup::*;
 use crate::client::*;
 use crate::config::remote;
 use crate::api2::types::*;
-use crate::config::acl::PRIV_DATASTORE_ALLOCATE_SPACE;
+use crate::config::acl::{PRIV_DATASTORE_CREATE_BACKUP, PRIV_DATASTORE_READ};
 use crate::config::cached_user_info::CachedUserInfo;
 
 // fixme: implement filters
@@ -391,7 +391,7 @@ pub async fn pull_store(
     },
     access: {
         // Note: used parameters are no uri parameters, so we need to test inside function body
-        description: "The user needs Datastore.AllocateSpace privilege on '/datastore/{store}' and '/remote/{remote}/{remote-store}'.",
+        description: "The user needs Datastore.CreateBackup privilege on '/datastore/{store}' and Datastore.Read on '/remote/{remote}/{remote-store}'.",
         permission: &Permission::Anybody,
     },
 )]
@@ -408,8 +408,8 @@ async fn pull (
     let user_info = CachedUserInfo::new()?;
 
     let username = rpcenv.get_user().unwrap();
-    user_info.check_privs(&username, &["datastore", &store], PRIV_DATASTORE_ALLOCATE_SPACE, false)?;
-    user_info.check_privs(&username, &["remote", &remote, &remote_store], PRIV_DATASTORE_ALLOCATE_SPACE, false)?;
+    user_info.check_privs(&username, &["datastore", &store], PRIV_DATASTORE_CREATE_BACKUP, false)?;
+    user_info.check_privs(&username, &["remote", &remote, &remote_store], PRIV_DATASTORE_READ, false)?;
 
     let delete = delete.unwrap_or(true);