(custom) templates might contain sensitive data, so require at least
read access on the underlying storage to access ISO and template files.
the same permissions are already needed for listing them, so this is
unlikely to cause fallout.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
if ($sid) {
my ($vtype, undef, $ownervm) = parse_volname($cfg, $volid);
if ($vtype eq 'iso' || $vtype eq 'vztmpl') {
- # we simply allow access
+ # at least read access to storage
+ $rpcenv->check_any($user, "/storage/$sid", ['Datastore.AllocateSpace', 'Datastore.Audit']);
} elsif (defined($ownervm) && defined($vmid) && ($ownervm == $vmid)) {
# we are owner - allow access
} elsif ($vtype eq 'backup' && $ownervm) {