implement helper to check if we can modify permission

[pve-access-control.git] / PVE / RPCEnvironment.pm

diff --git a/PVE/RPCEnvironment.pm b/PVE/RPCEnvironment.pm
index 15f7badd5c831f97b6c3336d95916e8b7e03b2a6..0b8147e4cc1ad285670b434e8e38a0cb5a2d2653 100644 (file)
--- a/PVE/RPCEnvironment.pm
+++ b/PVE/RPCEnvironment.pm
@@ -129,8 +129,12 @@ my $compile_acl_path = sub {
     # Note: assume we do not want to propagate those privs
     if ($data->{poolroles}->{$path}) {
        if (!($ra[0] && $ra[0] eq 'NoAccess')) {
-           foreach my $role (keys %{$data->{poolroles}->{$path}}) {
-               push @ra, $role;
+           if ($data->{poolroles}->{$path}->{NoAccess}) {
+               @ra = ('NoAccess');
+           } else {
+               foreach my $role (keys %{$data->{poolroles}->{$path}}) {
+                   push @ra, $role;
+               }
            }
        }
     }
@@ -215,7 +219,7 @@ sub check_any {
     my ($self, $user, $path, $privs, $noerr) = @_;
 
     my $perm = $self->permissions($user, $path);
-    syslog("info", "check_any $user $path " . join(" ", keys %$perm));
+
     my $found = 0;
     foreach my $priv (@$privs) {
        PVE::AccessControl::verify_privname($priv);
@@ -295,6 +299,21 @@ sub group_member_join {
     return $users;
 }
 
+sub check_perm_modify {
+    my ($self, $username, $path, $noerr) = @_;
+
+    return $self->check($username, '/access', [ 'Permissions.Modify' ], $noerr) if !$path;
+
+    my $testperms = [ 'Permissions.Modify' ];
+    if ($path =~ m|^/storage/.+$|) {
+       push @$testperms, 'Datastore.Allocate';
+    } elsif ($path =~ m|^/vms/.+$|) {
+       push @$testperms, 'VM.Allocate';
+    }
+
+    return $self->check_any($username, $path, $testperms, $noerr);
+}
+
 sub exec_api2_perm_check {
     my ($self, $check, $username, $param, $noerr) = @_;
 
@@ -320,6 +339,7 @@ sub exec_api2_perm_check {
        my $any = $options{any};
        die "missing parameters" if !($tmplpath && $privs);
        my $path = PVE::Tools::template_replace($tmplpath, $param);
+       $path = PVE::AccessControl::normalize_path($path);
        if ($any) {
            return $self->check_any($username, $path, $privs, $noerr);
        } else {
@@ -359,7 +379,12 @@ sub exec_api2_perm_check {
        } else {
            die "unknown userid-param test";
        }
-    } else {
+    } elsif ($test eq 'perm-modify') {
+       my ($t, $tmplpath) = @$check;
+       my $path = PVE::Tools::template_replace($tmplpath, $param);
+       $path = PVE::AccessControl::normalize_path($path);
+       return $self->check_perm_modify($username, $path, $noerr);
+   } else {
        die "unknown permission test";
     }
 };