From: Dietmar Maurer <dietmar@proxmox.com>
Date: Mon, 6 Feb 2012 10:15:31 +0000 (+0100)
Subject: set permissions for VZDump API
X-Git-Url: https://git.proxmox.com/?p=pve-manager.git;a=commitdiff_plain;h=98e84b16d5d5466a2a3f62cce897445f0c036b7d

set permissions for VZDump API
---

diff --git a/PVE/API2/VZDump.pm b/PVE/API2/VZDump.pm
index 6ce9f402..1c074332 100644
--- a/PVE/API2/VZDump.pm
+++ b/PVE/API2/VZDump.pm
@@ -22,6 +22,10 @@ __PACKAGE__->register_method ({
     path => '',
     method => 'POST',
     description => "Create backup.",
+    permissions => {
+	description => "The user needs VM.Backup permissions on any VM.",
+	user => 'all',
+    },
     protected => 1,
     proxyto => 'node',
     parameters => {
@@ -99,6 +103,11 @@ __PACKAGE__->register_method ({
 	die "you can only backup a single VM with option --stdout\n"
 	    if $param->{stdout} && scalar(@vmids) != 1;
 
+	foreach my $key (qw(maxfiles tmpdir dumpdir script size bwlimit ionice)) {
+	    raise_param_exc({ $key => "Only root may set this option."})
+		if defined($param->{$key}) && ($user ne 'root@pam');	    
+	}
+
 	my $vzdump = PVE::VZDump->new($cmdline, $param, $skiplist);
 
 	my $worker = sub {
@@ -115,7 +124,7 @@ __PACKAGE__->register_method ({
 		    PVE::VZDump::run_command(undef, "ionice -c2 -n$param->{ionice} -p $$");
 		}
 	    }
-	    $vzdump->exec_backup(); 
+	    $vzdump->exec_backup($rpcenv, $user); 
 	}; 
 
 	open STDOUT, '>/dev/null' if $param->{quiet} && !$param->{stdout};
diff --git a/PVE/VZDump.pm b/PVE/VZDump.pm
index 5ae091e4..0647f308 100644
--- a/PVE/VZDump.pm
+++ b/PVE/VZDump.pm
@@ -10,6 +10,7 @@ use IO::Select;
 use IPC::Open3;
 use POSIX qw(strftime);
 use File::Path;
+use PVE::RPCEnvironment;
 use PVE::Storage;
 use PVE::Cluster qw(cfs_read_file);
 use PVE::VZDump::OpenVZ;
@@ -953,7 +954,7 @@ sub exec_backup_task {
 }
 
 sub exec_backup {
-    my ($self) = @_;
+    my ($rpcenv, $authuser, $self) = @_;
 
     my $opts = $self->{opts};
 
@@ -968,6 +969,7 @@ sub exec_backup {
 	    my $vmlist = $plugin->vmlist();
 	    foreach my $vmid (sort @$vmlist) {
 		next if grep { $_ eq  $vmid } @{$opts->{exclude}};
+		next if !$rpcenv->check($authuser, "/vms/$vmid", [ 'VM.Backup' ], 1);
 	        push @$tasklist, { vmid => $vmid,  state => 'todo', plugin => $plugin };
 	    }
 	}
@@ -981,6 +983,7 @@ sub exec_backup {
 		    last;
 		}
 	    }
+	    $rpcenv->check($authuser, "/vms/$vmid", [ 'VM.Backup' ]);
 	    push @$tasklist, { vmid => $vmid,  state => 'todo', plugin => $plugin };
 	}
     }