api2: network: anybridge: re-add regular bridges

commit 89d146f207225bb8ca2e01d7e79000bb37a227d1 introduced permission
checks here that caused all regular bridges to be removed from the
returned list as soon as the SDN package is installed, unless the user
is root@pam or there exists a VNET with the same ID.

this is arguably a breaking change, so limit the priv check to actually
defined VNETs for the time being, and add ALL regular bridges
uncondtionally like before.

get_local_vnets already filters by the same prvs, so we need to get the
full config to find out which IDs are VNETs and which are not.

once/iff we introduce ACL paths for *all* bridges in the future, we can
limit accordingly here.

CC: Alexandre Derumier <aderumier@odiso.com>
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

diff --git a/PVE/API2/Network.pm b/PVE/API2/Network.pm
index 214ab50a61623591ee539f17ee6522bfb7ba164f..a43579fadb9b9ac0ef5c00f993bf9a652f559294 100644 (file)
--- a/PVE/API2/Network.pm
+++ b/PVE/API2/Network.pm
@@ -240,13 +240,16 @@ __PACKAGE__->register_method({
 
        if (my $tfilter = $param->{type}) {
            my $vnets;
+           my $vnet_cfg;
            my $can_access_vnet = sub { # only matters for the $have_sdn case, checked implict
                return 1 if $authuser eq 'root@pam' || !defined($vnets);
+               return 1 if !defined(PVE::Network::SDN::Vnets::sdn_vnets_config($vnet_cfg, $_[0], 1)); # not a vnet
                $rpcenv->check_any($authuser, "/sdn/vnets/$_[0]", ['SDN.Audit', 'SDN.Allocate'], 1)
            };
 
            if ($have_sdn && $param->{type} eq 'any_bridge') {
                $vnets = PVE::Network::SDN::get_local_vnets(); # returns already access-filtered
+               $vnet_cfg = PVE::Network::SDN::Vnets::config();
            }
 
            for my $k (sort keys $ifaces->%*) {