if ($sid) {
my ($vtype, undef, $ownervm) = parse_volname($cfg, $volid);
if ($vtype eq 'iso' || $vtype eq 'vztmpl') {
- # at least read access to storage
+ # require at least read access to storage, (custom) templates/ISOs could be sensitive
$rpcenv->check_any($user, "/storage/$sid", ['Datastore.AllocateSpace', 'Datastore.Audit']);
} elsif (defined($ownervm) && defined($vmid) && ($ownervm == $vmid)) {
# we are owner - allow access