From 00b90e7185efe489ddf7cb6f5b6ebdf023cc602c Mon Sep 17 00:00:00 2001 From: Thomas Lamprecht Date: Thu, 8 Jun 2023 09:31:19 +0200 Subject: [PATCH] api: roles: forbid creatin new roles starting with "PVE" namespace makes our reasoning when adding new top-level privileges way easier in the future. We already had two major upgrades with role additions where we had to add special checks in the upgrade script and breaking changes, so let's reserve any role starting with PVE (case-insensitive to avoid confusion potential) and forbid creating those via API. We might also think about letting the config parser choke on that, as otherwise one could still create them via editing the config manually. Signed-off-by: Thomas Lamprecht --- src/PVE/API2/Role.pm | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/PVE/API2/Role.pm b/src/PVE/API2/Role.pm index 5cb5b30..a924018 100644 --- a/src/PVE/API2/Role.pm +++ b/src/PVE/API2/Role.pm @@ -5,6 +5,7 @@ use warnings; use PVE::AccessControl (); use PVE::Cluster qw(cfs_read_file cfs_write_file); +use PVE::Exception qw(raise_param_exc); use PVE::JSONSchema qw(get_standard_option register_standard_option); use base qw(PVE::RESTHandler); @@ -82,11 +83,17 @@ __PACKAGE__->register_method ({ code => sub { my ($param) = @_; + my $role = $param->{roleid}; + + if ($role =~ /^PVE/i) { + raise_param_exc({ + roleid => "cannot use role ID starting with the (case-insensitive) 'PVE' namespace", + }); + } + PVE::AccessControl::lock_user_config(sub { my $usercfg = cfs_read_file("user.cfg"); - my $role = $param->{roleid}; - die "role '$role' already exists\n" if $usercfg->{roles}->{$role}; $usercfg->{roles}->{$role} = {}; -- 2.39.2