api: node: bulk actions: allow when user has permission for each guest

Users with permissions for some guests can already start a task for
each sequentially.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>

diff --git a/PVE/API2/Nodes.pm b/PVE/API2/Nodes.pm
index f1b3bca415133e933c88c5833f481c1640a0b739..bfe5c40a1c5cdf900cc6fbc21b64811f8a4ba204 100644 (file)
--- a/PVE/API2/Nodes.pm
+++ b/PVE/API2/Nodes.pm
@@ -1757,7 +1757,9 @@ __PACKAGE__->register_method ({
     method => 'POST',
     protected => 1,
     permissions => {
-       check => ['perm', '/', [ 'VM.PowerMgmt' ]],
+       description => "The 'VM.PowerMgmt' permission is required on '/' or on '/vms/<ID>' for "
+           ."each ID passed via the 'vms' parameter.",
+       user => 'all',
     },
     proxyto => 'node',
     description => "Start all VMs and containers located on this node (by default only those with onboot=1).",
@@ -1787,6 +1789,15 @@ __PACKAGE__->register_method ({
        my $rpcenv = PVE::RPCEnvironment::get();
        my $authuser = $rpcenv->get_user();
 
+       if (!$rpcenv->check($authuser, "/", [ 'VM.PowerMgmt' ], 1)) {
+           my @vms = PVE::Tools::split_list($param->{vms});
+           if (scalar(@vms) > 0) {
+               $rpcenv->check($authuser, "/vms/$_", [ 'VM.PowerMgmt' ]) for @vms;
+           } else {
+               raise_perm_exc("/, VM.PowerMgmt");
+           }
+       }
+
        my $nodename = $param->{node};
        $nodename = PVE::INotify::nodename() if $nodename eq 'localhost';
 
@@ -1892,7 +1903,9 @@ __PACKAGE__->register_method ({
     method => 'POST',
     protected => 1,
     permissions => {
-       check => ['perm', '/', [ 'VM.PowerMgmt' ]],
+       description => "The 'VM.PowerMgmt' permission is required on '/' or on '/vms/<ID>' for "
+           ."each ID passed via the 'vms' parameter.",
+       user => 'all',
     },
     proxyto => 'node',
     description => "Stop all VMs and Containers.",
@@ -1931,6 +1944,15 @@ __PACKAGE__->register_method ({
        my $rpcenv = PVE::RPCEnvironment::get();
        my $authuser = $rpcenv->get_user();
 
+       if (!$rpcenv->check($authuser, "/", [ 'VM.PowerMgmt' ], 1)) {
+           my @vms = PVE::Tools::split_list($param->{vms});
+           if (scalar(@vms) > 0) {
+               $rpcenv->check($authuser, "/vms/$_", [ 'VM.PowerMgmt' ]) for @vms;
+           } else {
+               raise_perm_exc("/, VM.PowerMgmt");
+           }
+       }
+
        my $nodename = $param->{node};
        $nodename = PVE::INotify::nodename() if $nodename eq 'localhost';
 
@@ -2057,7 +2079,9 @@ __PACKAGE__->register_method ({
     proxyto => 'node',
     protected => 1,
     permissions => {
-       check => ['perm', '/', [ 'VM.Migrate' ]],
+       description => "The 'VM.Migrate' permission is required on '/' or on '/vms/<ID>' for each "
+           ."ID passed via the 'vms' parameter.",
+       user => 'all',
     },
     description => "Migrate all VMs and Containers.",
     parameters => {
@@ -2093,6 +2117,15 @@ __PACKAGE__->register_method ({
        my $rpcenv = PVE::RPCEnvironment::get();
        my $authuser = $rpcenv->get_user();
 
+       if (!$rpcenv->check($authuser, "/", [ 'VM.Migrate' ], 1)) {
+           my @vms = PVE::Tools::split_list($param->{vms});
+           if (scalar(@vms) > 0) {
+               $rpcenv->check($authuser, "/vms/$_", [ 'VM.Migrate' ]) for @vms;
+           } else {
+               raise_perm_exc("/, VM.Migrate");
+           }
+       }
+
        my $nodename = $param->{node};
        $nodename = PVE::INotify::nodename() if $nodename eq 'localhost';