Commit 52083148 authored by Dietmar Maurer's avatar Dietmar Maurer

add/improve pool permission check

parent d5704517
...@@ -162,7 +162,7 @@ __PACKAGE__->register_method({ ...@@ -162,7 +162,7 @@ __PACKAGE__->register_method({
foreach my $pool (keys %{$usercfg->{pools}}) { foreach my $pool (keys %{$usercfg->{pools}}) {
my $d = $usercfg->{pools}->{$pool}; my $d = $usercfg->{pools}->{$pool};
next if !$rpcenv->check($authuser, "/pool/$pool", [ 'VM.Audit' ], 1); next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Allocate' ], 1);
my $entry = { my $entry = {
id => "/pool/$pool", id => "/pool/$pool",
...@@ -180,8 +180,6 @@ __PACKAGE__->register_method({ ...@@ -180,8 +180,6 @@ __PACKAGE__->register_method({
if (!$param->{type} || $param->{type} eq 'vm') { if (!$param->{type} || $param->{type} eq 'vm') {
foreach my $vmid (keys %$idlist) { foreach my $vmid (keys %$idlist) {
next if !$rpcenv->check($authuser, "/vms/$vmid", [ 'VM.Audit' ], 1);
my $data = $idlist->{$vmid}; my $data = $idlist->{$vmid};
my $entry = PVE::API2Tools::extract_vm_stats($vmid, $data, $rrd); my $entry = PVE::API2Tools::extract_vm_stats($vmid, $data, $rrd);
if (defined($entry->{uptime})) { if (defined($entry->{uptime})) {
...@@ -200,6 +198,8 @@ __PACKAGE__->register_method({ ...@@ -200,6 +198,8 @@ __PACKAGE__->register_method({
} }
} }
next if !$rpcenv->check($authuser, "/vms/$vmid", [ 'VM.Audit' ], 1);
push @$res, $entry; push @$res, $entry;
} }
} }
......
...@@ -23,6 +23,7 @@ __PACKAGE__->register_method ({ ...@@ -23,6 +23,7 @@ __PACKAGE__->register_method ({
method => 'GET', method => 'GET',
description => "Pool index.", description => "Pool index.",
permissions => { permissions => {
description => "List all pools where you have Pool.Allocate permissions on /pool/<pool>.",
user => 'all', user => 'all',
}, },
parameters => { parameters => {
...@@ -43,12 +44,15 @@ __PACKAGE__->register_method ({ ...@@ -43,12 +44,15 @@ __PACKAGE__->register_method ({
my ($param) = @_; my ($param) = @_;
my $rpcenv = PVE::RPCEnvironment::get(); my $rpcenv = PVE::RPCEnvironment::get();
my $authuser = $rpcenv->get_user();
my $res = []; my $res = [];
my $usercfg = $rpcenv->{user_cfg}; my $usercfg = $rpcenv->{user_cfg};
foreach my $pool (keys %{$usercfg->{pools}}) { foreach my $pool (keys %{$usercfg->{pools}}) {
next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Allocate' ], 1);
my $entry = { poolid => $pool }; my $entry = { poolid => $pool };
my $data = $usercfg->{pools}->{$pool}; my $data = $usercfg->{pools}->{$pool};
$entry->{comment} = $data->{comment} if defined($data->{comment}); $entry->{comment} = $data->{comment} if defined($data->{comment});
...@@ -64,7 +68,7 @@ __PACKAGE__->register_method ({ ...@@ -64,7 +68,7 @@ __PACKAGE__->register_method ({
path => '', path => '',
method => 'POST', method => 'POST',
permissions => { permissions => {
check => ['perm', '/access', ['Sys.Modify']], check => ['perm', '/pool/{poolid}', ['Pool.Allocate']],
}, },
description => "Create new pool.", description => "Create new pool.",
parameters => { parameters => {
...@@ -104,7 +108,8 @@ __PACKAGE__->register_method ({ ...@@ -104,7 +108,8 @@ __PACKAGE__->register_method ({
path => '{poolid}', path => '{poolid}',
method => 'PUT', method => 'PUT',
permissions => { permissions => {
check => ['perm', '/access', ['Sys.Modify']], description => "You aslo need the right to modify permissions on any object you add/delete.",
check => ['perm', '/pool/{poolid}', ['Pool.Allocate']],
}, },
description => "Update pool data.", description => "Update pool data.",
parameters => { parameters => {
...@@ -133,6 +138,9 @@ __PACKAGE__->register_method ({ ...@@ -133,6 +138,9 @@ __PACKAGE__->register_method ({
code => sub { code => sub {
my ($param) = @_; my ($param) = @_;
my $rpcenv = PVE::RPCEnvironment::get();
my $authuser = $rpcenv->get_user();
PVE::AccessControl::lock_user_config( PVE::AccessControl::lock_user_config(
sub { sub {
...@@ -149,6 +157,7 @@ __PACKAGE__->register_method ({ ...@@ -149,6 +157,7 @@ __PACKAGE__->register_method ({
if (defined($param->{vms})) { if (defined($param->{vms})) {
foreach my $vmid (PVE::Tools::split_list($param->{vms})) { foreach my $vmid (PVE::Tools::split_list($param->{vms})) {
$rpcenv->check_perm_modify($authuser, "/vms/$vmid");
if ($param->{delete}) { if ($param->{delete}) {
die "VM $vmid is not a pool member\n" die "VM $vmid is not a pool member\n"
if !$data->{vms}->{$vmid}; if !$data->{vms}->{$vmid};
...@@ -168,6 +177,7 @@ __PACKAGE__->register_method ({ ...@@ -168,6 +177,7 @@ __PACKAGE__->register_method ({
if (defined($param->{storage})) { if (defined($param->{storage})) {
foreach my $storeid (PVE::Tools::split_list($param->{storage})) { foreach my $storeid (PVE::Tools::split_list($param->{storage})) {
$rpcenv->check_perm_modify($authuser, "/storage/$storeid");
if ($param->{delete}) { if ($param->{delete}) {
die "Storage '$storeid' is not a pool member\n" die "Storage '$storeid' is not a pool member\n"
if !$data->{storage}->{$storeid}; if !$data->{storage}->{$storeid};
...@@ -192,9 +202,9 @@ __PACKAGE__->register_method ({ ...@@ -192,9 +202,9 @@ __PACKAGE__->register_method ({
path => '{poolid}', path => '{poolid}',
method => 'GET', method => 'GET',
permissions => { permissions => {
check => ['perm', '/access', ['Sys.Audit']], check => ['perm', '/pool/{poolid}', ['Pool.Allocate']],
}, },
description => "Get group configuration.", description => "Get pool configuration.",
parameters => { parameters => {
additionalProperties => 0, additionalProperties => 0,
properties => { properties => {
...@@ -274,9 +284,10 @@ __PACKAGE__->register_method ({ ...@@ -274,9 +284,10 @@ __PACKAGE__->register_method ({
path => '{poolid}', path => '{poolid}',
method => 'DELETE', method => 'DELETE',
permissions => { permissions => {
check => ['perm', '/access', ['Sys.Modify']], description => "You can only delete empty pools (no members).",
check => ['perm', '/pool/{poolid}', ['Pool.Allocate']],
}, },
description => "Delete group.", description => "Delete pool.",
parameters => { parameters => {
additionalProperties => 0, additionalProperties => 0,
properties => { properties => {
...@@ -287,6 +298,9 @@ __PACKAGE__->register_method ({ ...@@ -287,6 +298,9 @@ __PACKAGE__->register_method ({
code => sub { code => sub {
my ($param) = @_; my ($param) = @_;
my $rpcenv = PVE::RPCEnvironment::get();
my $authuser = $rpcenv->get_user();
PVE::AccessControl::lock_user_config( PVE::AccessControl::lock_user_config(
sub { sub {
...@@ -298,7 +312,10 @@ __PACKAGE__->register_method ({ ...@@ -298,7 +312,10 @@ __PACKAGE__->register_method ({
die "pool '$pool' does not exist\n" die "pool '$pool' does not exist\n"
if !$data; if !$data;
die "pool '$pool' is not empty\n"
if scalar (keys %{$data->{vms}}) || scalar(keys %{$data->{storage}});
delete ($usercfg->{pools}->{$pool}); delete ($usercfg->{pools}->{$pool});
PVE::AccessControl::delete_pool_acl($pool, $usercfg); PVE::AccessControl::delete_pool_acl($pool, $usercfg);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment