implement permission checks for cloud-init related options

Most cloud-init options are network related, so we simply check
for VM.Config.Network priviledge.

Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>

diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index fb8a6e3cd30824bf8ce6e8b0a9b531c1a03b5b3f..8d4b10d3a5299a2bdca22c6917e5a4378670c528 100644 (file)
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -291,6 +291,15 @@ my $diskoptions = {
     'vmstatestorage' => 1,
 };
 
+my $cloudinitoptions = {
+    cipassword => 1,
+    citype => 1,
+    ciuser => 1,
+    nameserver => 1,
+    searchdomain => 1,
+    sshkeys => 1,
+};
+
 my $check_vm_modify_config_perm = sub {
     my ($rpcenv, $authuser, $vmid, $pool, $key_list) = @_;
 
@@ -318,7 +327,7 @@ my $check_vm_modify_config_perm = sub {
            $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.PowerMgmt']);
        } elsif ($diskoptions->{$opt}) {
            $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Disk']);
-       } elsif ($opt =~ m/^(?:net|ipconfig)\d+$/) {
+       } elsif ($cloudinitoptions->{$opt} || ($opt =~ m/^(?:net|ipconfig)\d+$/)) {
            $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Network']);
        } else {
            # catches usb\d+, hostpci\d+, args, lock, etc.