check_volume_access: tighten checks for iso/tmpl

(custom) templates might contain sensitive data, so require at least
read access on the underlying storage to access ISO and template files.

the same permissions are already needed for listing them, so this is
unlikely to cause fallout.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

diff --git a/PVE/Storage.pm b/PVE/Storage.pm
index fc7a2ea80813210838ac6fe9b8eae9bce8d11ae7..a1c4a148a790956dab348f59ec72679e9a4f749c 100755 (executable)
--- a/PVE/Storage.pm
+++ b/PVE/Storage.pm
@@ -399,7 +399,8 @@ sub check_volume_access {
     if ($sid) {
        my ($vtype, undef, $ownervm) = parse_volname($cfg, $volid);
        if ($vtype eq 'iso' || $vtype eq 'vztmpl') {
-           # we simply allow access
+           # at least read access to storage
+           $rpcenv->check_any($user, "/storage/$sid", ['Datastore.AllocateSpace', 'Datastore.Audit']);
        } elsif (defined($ownervm) && defined($vmid) && ($ownervm == $vmid)) {
            # we are owner - allow access
        } elsif ($vtype eq 'backup' && $ownervm) {