Commit 52083148 authored by Dietmar Maurer's avatar Dietmar Maurer

add/improve pool permission check

parent d5704517
......@@ -162,7 +162,7 @@ __PACKAGE__->register_method({
foreach my $pool (keys %{$usercfg->{pools}}) {
my $d = $usercfg->{pools}->{$pool};
next if !$rpcenv->check($authuser, "/pool/$pool", [ 'VM.Audit' ], 1);
next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Allocate' ], 1);
my $entry = {
id => "/pool/$pool",
......@@ -180,8 +180,6 @@ __PACKAGE__->register_method({
if (!$param->{type} || $param->{type} eq 'vm') {
foreach my $vmid (keys %$idlist) {
next if !$rpcenv->check($authuser, "/vms/$vmid", [ 'VM.Audit' ], 1);
my $data = $idlist->{$vmid};
my $entry = PVE::API2Tools::extract_vm_stats($vmid, $data, $rrd);
if (defined($entry->{uptime})) {
......@@ -200,6 +198,8 @@ __PACKAGE__->register_method({
}
}
next if !$rpcenv->check($authuser, "/vms/$vmid", [ 'VM.Audit' ], 1);
push @$res, $entry;
}
}
......
......@@ -23,6 +23,7 @@ __PACKAGE__->register_method ({
method => 'GET',
description => "Pool index.",
permissions => {
description => "List all pools where you have Pool.Allocate permissions on /pool/<pool>.",
user => 'all',
},
parameters => {
......@@ -43,12 +44,15 @@ __PACKAGE__->register_method ({
my ($param) = @_;
my $rpcenv = PVE::RPCEnvironment::get();
my $authuser = $rpcenv->get_user();
my $res = [];
my $usercfg = $rpcenv->{user_cfg};
foreach my $pool (keys %{$usercfg->{pools}}) {
next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Allocate' ], 1);
my $entry = { poolid => $pool };
my $data = $usercfg->{pools}->{$pool};
$entry->{comment} = $data->{comment} if defined($data->{comment});
......@@ -64,7 +68,7 @@ __PACKAGE__->register_method ({
path => '',
method => 'POST',
permissions => {
check => ['perm', '/access', ['Sys.Modify']],
check => ['perm', '/pool/{poolid}', ['Pool.Allocate']],
},
description => "Create new pool.",
parameters => {
......@@ -104,7 +108,8 @@ __PACKAGE__->register_method ({
path => '{poolid}',
method => 'PUT',
permissions => {
check => ['perm', '/access', ['Sys.Modify']],
description => "You aslo need the right to modify permissions on any object you add/delete.",
check => ['perm', '/pool/{poolid}', ['Pool.Allocate']],
},
description => "Update pool data.",
parameters => {
......@@ -133,6 +138,9 @@ __PACKAGE__->register_method ({
code => sub {
my ($param) = @_;
my $rpcenv = PVE::RPCEnvironment::get();
my $authuser = $rpcenv->get_user();
PVE::AccessControl::lock_user_config(
sub {
......@@ -149,6 +157,7 @@ __PACKAGE__->register_method ({
if (defined($param->{vms})) {
foreach my $vmid (PVE::Tools::split_list($param->{vms})) {
$rpcenv->check_perm_modify($authuser, "/vms/$vmid");
if ($param->{delete}) {
die "VM $vmid is not a pool member\n"
if !$data->{vms}->{$vmid};
......@@ -168,6 +177,7 @@ __PACKAGE__->register_method ({
if (defined($param->{storage})) {
foreach my $storeid (PVE::Tools::split_list($param->{storage})) {
$rpcenv->check_perm_modify($authuser, "/storage/$storeid");
if ($param->{delete}) {
die "Storage '$storeid' is not a pool member\n"
if !$data->{storage}->{$storeid};
......@@ -192,9 +202,9 @@ __PACKAGE__->register_method ({
path => '{poolid}',
method => 'GET',
permissions => {
check => ['perm', '/access', ['Sys.Audit']],
check => ['perm', '/pool/{poolid}', ['Pool.Allocate']],
},
description => "Get group configuration.",
description => "Get pool configuration.",
parameters => {
additionalProperties => 0,
properties => {
......@@ -274,9 +284,10 @@ __PACKAGE__->register_method ({
path => '{poolid}',
method => 'DELETE',
permissions => {
check => ['perm', '/access', ['Sys.Modify']],
description => "You can only delete empty pools (no members).",
check => ['perm', '/pool/{poolid}', ['Pool.Allocate']],
},
description => "Delete group.",
description => "Delete pool.",
parameters => {
additionalProperties => 0,
properties => {
......@@ -287,6 +298,9 @@ __PACKAGE__->register_method ({
code => sub {
my ($param) = @_;
my $rpcenv = PVE::RPCEnvironment::get();
my $authuser = $rpcenv->get_user();
PVE::AccessControl::lock_user_config(
sub {
......@@ -299,6 +313,9 @@ __PACKAGE__->register_method ({
die "pool '$pool' does not exist\n"
if !$data;
die "pool '$pool' is not empty\n"
if scalar (keys %{$data->{vms}}) || scalar(keys %{$data->{storage}});
delete ($usercfg->{pools}->{$pool});
PVE::AccessControl::delete_pool_acl($pool, $usercfg);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment