From 91db3ececc7e22fc97c69122ac9a61d425b3328e Mon Sep 17 00:00:00 2001 From: Lorenz Stechauner Date: Thu, 20 May 2021 12:03:40 +0200 Subject: [PATCH] fix #3402: add Pool.Audit permission everywhere where Pool.Allocate was unnecessarly used it was replaced with Pool.Audit. `/cluster/resources` now returns pool infomation for guests only if the requesting user has the Pool.Audit permission on the pool. `/pool/` now returns only pools where the requesting user has the Pool.Audit permission. Signed-off-by: Lorenz Stechauner --- PVE/API2/Cluster.pm | 7 ++++++- PVE/API2/Pool.pm | 7 ++++--- PVE/API2/VZDump.pm | 2 +- 3 files changed, 11 insertions(+), 5 deletions(-) diff --git a/PVE/API2/Cluster.pm b/PVE/API2/Cluster.pm index ab5b28a1..641b846d 100644 --- a/PVE/API2/Cluster.pm +++ b/PVE/API2/Cluster.pm @@ -332,7 +332,7 @@ __PACKAGE__->register_method({ for my $pool (sort keys %{$usercfg->{pools}}) { my $d = $usercfg->{pools}->{$pool}; - next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Allocate' ], 1); + next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Audit' ], 1); my $entry = { id => "/pool/$pool", @@ -384,6 +384,11 @@ __PACKAGE__->register_method({ $entry->{lock} = $lock; } + if (defined($entry->{pool}) && + !$rpcenv->check($authuser, "/pool/$entry->{pool}", ['Pool.Audit'], 1)) { + delete $entry->{pool}; + } + # get ha status if (my $hatype = $hatypemap->{$entry->{type}}) { my $sid = "$hatype:$vmid"; diff --git a/PVE/API2/Pool.pm b/PVE/API2/Pool.pm index 43375b02..28c29ab8 100644 --- a/PVE/API2/Pool.pm +++ b/PVE/API2/Pool.pm @@ -22,7 +22,7 @@ __PACKAGE__->register_method ({ method => 'GET', description => "Pool index.", permissions => { - description => "List all pools where you have Pool.Allocate or VM.Allocate permissions on /pool/.", + description => "List all pools where you have Pool.Audit permissions on /pool/.", user => 'all', }, parameters => { @@ -47,9 +47,10 @@ __PACKAGE__->register_method ({ my $usercfg = $rpcenv->{user_cfg}; + my $res = []; for my $pool (sort keys %{$usercfg->{pools}}) { - next if !$rpcenv->check_any($authuser, "/pool/$pool", [ 'Pool.Allocate', 'VM.Allocate' ], 1); + next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Audit' ], 1); my $entry = { poolid => $pool }; my $pool_config = $usercfg->{pools}->{$pool}; @@ -200,7 +201,7 @@ __PACKAGE__->register_method ({ path => '{poolid}', method => 'GET', permissions => { - check => ['perm', '/pool/{poolid}', ['Pool.Allocate']], + check => ['perm', '/pool/{poolid}', ['Pool.Audit']], }, description => "Get pool configuration.", parameters => { diff --git a/PVE/API2/VZDump.pm b/PVE/API2/VZDump.pm index 82dd9415..4093d82f 100644 --- a/PVE/API2/VZDump.pm +++ b/PVE/API2/VZDump.pm @@ -226,7 +226,7 @@ __PACKAGE__->register_method ({ my $pool = $res->{pool}; if (defined($pool) && - !$rpcenv->check($authuser, "/pool/$pool", ['Pool.Allocate'], 1)) { + !$rpcenv->check($authuser, "/pool/$pool", ['Pool.Audit'], 1)) { delete $res->{pool}; } -- 2.39.2