Syntax for permission paths is now checked on API calls for
creation or update on permissions.
Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
my $path = PVE::AccessControl::normalize_path($param->{path});
raise_param_exc({ path => "invalid ACL path '$param->{path}'" }) if !$path;
+ if (!$param->{delete} && !PVE::AccessControl::check_path($path)) {
+ raise_param_exc({ path => "invalid ACL path '$param->{path}'" });
+ }
+
PVE::AccessControl::lock_user_config(
sub {
return $path;
}
+sub check_path {
+ return shift =~ m!^(
+ /
+ |/access
+ |/access/groups
+ |/access/realm
+ |/nodes
+ |/nodes/[[:alnum:]\.\-\_]+
+ |/pool
+ |/pool/[[:alnum:]\.\-\_]+
+ |/sdn
+ |/storage
+ |/storage/[[:alnum:]\.\-\_]+
+ |/vms
+ |/vms/\d{3,}
+ )$!xs;
+}
+
PVE::JSONSchema::register_format('pve-groupid', \&verify_groupname);
sub verify_groupname {
my ($groupname, $noerr) = @_;