check_ct_modify_config_perm: check for tags permissions with 'assert_tag_permissions'

from GuestHelpers. This function checks all necessary permissions and
raises an exception if the user does not have the correct ones.

This is necessary for the new 'privileged' tags and 'user-tag-access'
permissions to work.

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>

diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index 9bd04afaa707b839a6ec79293a8f2bfe5049764f..4fa65865d74ffc508d6ae88685ee312a2a51ef20 100644 (file)
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -1344,6 +1344,10 @@ sub check_ct_modify_config_perm {
        } elsif ($opt eq 'hookscript') {
            # For now this is restricted to root@pam
            raise_perm_exc("changing the hookscript is only allowed for root\@pam");
+       } elsif ($opt eq 'tags') {
+           my $old = $oldconf->{$opt};
+           my $new = $delete ? '' : $newconf->{$opt};
+           PVE::GuestHelpers::assert_tag_permissions($vmid, $old, $new, $rpcenv, $authuser);
        } else {
            $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Options']);
        }