fix #3402: add Pool.Audit permission

author Lorenz Stechauner <l.stechauner@proxmox.com>

Thu, 20 May 2021 10:03:40 +0000 (12:03 +0200)

committer Fabian Grünbichler <f.gruenbichler@proxmox.com>

Tue, 1 Jun 2021 08:31:11 +0000 (10:31 +0200)
author Lorenz Stechauner <l.stechauner@proxmox.com>
Thu, 20 May 2021 10:03:40 +0000 (12:03 +0200)
committer Fabian Grünbichler <f.gruenbichler@proxmox.com>
Tue, 1 Jun 2021 08:31:11 +0000 (10:31 +0200)
diff --git a/PVE/API2/Cluster.pm b/PVE/API2/Cluster.pm

index ab5b28a191c008fc8187018395b8ae50071fbddb..641b846d1482fba30843abd31d7369baebe0d34a 100644 (file)
--- a/PVE/API2/Cluster.pm
+++ b/PVE/API2/Cluster.pm
@@ -332,7 +332,7 @@ __PACKAGE__->register_method({
             for my $pool (sort keys %{$usercfg->{pools}}) {
                 my $d = $usercfg->{pools}->{$pool};
  
-               next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Allocate' ], 1);
+               next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Audit' ], 1);
  
                 my $entry = {
                     id => "/pool/$pool",
@@ -384,6 +384,11 @@ __PACKAGE__->register_method({
                     $entry->{lock} = $lock;
                 }
  
+               if (defined($entry->{pool}) &&
+                   !$rpcenv->check($authuser, "/pool/$entry->{pool}", ['Pool.Audit'], 1)) {
+                   delete $entry->{pool};
+               }
+
                 # get ha status
                 if (my $hatype = $hatypemap->{$entry->{type}}) {
                     my $sid = "$hatype:$vmid";
diff --git a/PVE/API2/Pool.pm b/PVE/API2/Pool.pm

index 43375b0257691b5509b1e6003b1c86676fb70950..28c29ab8f57df5f4293862c55a2477737dff142c 100644 (file)
--- a/PVE/API2/Pool.pm
+++ b/PVE/API2/Pool.pm
@@ -22,7 +22,7 @@ __PACKAGE__->register_method ({
      method => 'GET',
      description => "Pool index.",
      permissions => {
-       description => "List all pools where you have Pool.Allocate or VM.Allocate permissions on /pool/<pool>.",
+       description => "List all pools where you have Pool.Audit permissions on /pool/<pool>.",
         user => 'all',
      },
      parameters => {
@@ -47,9 +47,10 @@ __PACKAGE__->register_method ({
  
         my $usercfg = $rpcenv->{user_cfg};
  
+
         my $res = [];
         for my $pool (sort keys %{$usercfg->{pools}}) {
-           next if !$rpcenv->check_any($authuser, "/pool/$pool", [ 'Pool.Allocate', 'VM.Allocate' ], 1);
+           next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Audit' ], 1);
  
             my $entry = { poolid => $pool };
             my $pool_config = $usercfg->{pools}->{$pool};
@@ -200,7 +201,7 @@ __PACKAGE__->register_method ({
      path => '{poolid}',
      method => 'GET',
      permissions => {
-       check => ['perm', '/pool/{poolid}', ['Pool.Allocate']],
+       check => ['perm', '/pool/{poolid}', ['Pool.Audit']],
      },
      description => "Get pool configuration.",
      parameters => {
diff --git a/PVE/API2/VZDump.pm b/PVE/API2/VZDump.pm

index 82dd9415cad9049465ac3d615d1e1f284973bea6..4093d82ffe9855ec3a162684cb7d6cffe0721cc1 100644 (file)
--- a/PVE/API2/VZDump.pm
+++ b/PVE/API2/VZDump.pm
@@ -226,7 +226,7 @@ __PACKAGE__->register_method ({
  
         my $pool = $res->{pool};
         if (defined($pool) &&
-           !$rpcenv->check($authuser, "/pool/$pool", ['Pool.Allocate'], 1)) {
+           !$rpcenv->check($authuser, "/pool/$pool", ['Pool.Audit'], 1)) {
             delete $res->{pool};
         }
author	Lorenz Stechauner <l.stechauner@proxmox.com>
	Thu, 20 May 2021 10:03:40 +0000 (12:03 +0200)
committer	Fabian Grünbichler <f.gruenbichler@proxmox.com>
	Tue, 1 Jun 2021 08:31:11 +0000 (10:31 +0200)
PVE/API2/Cluster.pm		patch \| blob \| blame \| history
PVE/API2/Pool.pm		patch \| blob \| blame \| history
PVE/API2/VZDump.pm		patch \| blob \| blame \| history