Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
P
pve-manager
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Administrator
pve-manager
Commits
52083148
Commit
52083148
authored
Jan 31, 2012
by
Dietmar Maurer
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
add/improve pool permission check
parent
d5704517
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
27 additions
and
10 deletions
+27
-10
Cluster.pm
PVE/API2/Cluster.pm
+3
-3
Pool.pm
PVE/API2/Pool.pm
+24
-7
No files found.
PVE/API2/Cluster.pm
View file @
52083148
...
@@ -162,7 +162,7 @@ __PACKAGE__->register_method({
...
@@ -162,7 +162,7 @@ __PACKAGE__->register_method({
foreach
my
$pool
(
keys
%
{
$usercfg
->
{
pools
}})
{
foreach
my
$pool
(
keys
%
{
$usercfg
->
{
pools
}})
{
my
$d
=
$usercfg
->
{
pools
}
->
{
$pool
};
my
$d
=
$usercfg
->
{
pools
}
->
{
$pool
};
next
if
!
$rpcenv
->
check
(
$authuser
,
"
/pool/
$pool
",
[
'
VM.Audit
'
],
1
);
next
if
!
$rpcenv
->
check
(
$authuser
,
"
/pool/
$pool
",
[
'
Pool.Allocate
'
],
1
);
my
$entry
=
{
my
$entry
=
{
id
=>
"
/pool/
$pool
",
id
=>
"
/pool/
$pool
",
...
@@ -180,8 +180,6 @@ __PACKAGE__->register_method({
...
@@ -180,8 +180,6 @@ __PACKAGE__->register_method({
if
(
!
$param
->
{
type
}
||
$param
->
{
type
}
eq
'
vm
')
{
if
(
!
$param
->
{
type
}
||
$param
->
{
type
}
eq
'
vm
')
{
foreach
my
$vmid
(
keys
%
$idlist
)
{
foreach
my
$vmid
(
keys
%
$idlist
)
{
next
if
!
$rpcenv
->
check
(
$authuser
,
"
/vms/
$vmid
",
[
'
VM.Audit
'
],
1
);
my
$data
=
$idlist
->
{
$vmid
};
my
$data
=
$idlist
->
{
$vmid
};
my
$entry
=
PVE::API2Tools::
extract_vm_stats
(
$vmid
,
$data
,
$rrd
);
my
$entry
=
PVE::API2Tools::
extract_vm_stats
(
$vmid
,
$data
,
$rrd
);
if
(
defined
(
$entry
->
{
uptime
}))
{
if
(
defined
(
$entry
->
{
uptime
}))
{
...
@@ -200,6 +198,8 @@ __PACKAGE__->register_method({
...
@@ -200,6 +198,8 @@ __PACKAGE__->register_method({
}
}
}
}
next
if
!
$rpcenv
->
check
(
$authuser
,
"
/vms/
$vmid
",
[
'
VM.Audit
'
],
1
);
push
@$res
,
$entry
;
push
@$res
,
$entry
;
}
}
}
}
...
...
PVE/API2/Pool.pm
View file @
52083148
...
@@ -23,6 +23,7 @@ __PACKAGE__->register_method ({
...
@@ -23,6 +23,7 @@ __PACKAGE__->register_method ({
method
=>
'
GET
',
method
=>
'
GET
',
description
=>
"
Pool index.
",
description
=>
"
Pool index.
",
permissions
=>
{
permissions
=>
{
description
=>
"
List all pools where you have Pool.Allocate permissions on /pool/<pool>.
",
user
=>
'
all
',
user
=>
'
all
',
},
},
parameters
=>
{
parameters
=>
{
...
@@ -43,12 +44,15 @@ __PACKAGE__->register_method ({
...
@@ -43,12 +44,15 @@ __PACKAGE__->register_method ({
my
(
$param
)
=
@_
;
my
(
$param
)
=
@_
;
my
$rpcenv
=
PVE::RPCEnvironment::
get
();
my
$rpcenv
=
PVE::RPCEnvironment::
get
();
my
$authuser
=
$rpcenv
->
get_user
();
my
$res
=
[]
;
my
$res
=
[]
;
my
$usercfg
=
$rpcenv
->
{
user_cfg
};
my
$usercfg
=
$rpcenv
->
{
user_cfg
};
foreach
my
$pool
(
keys
%
{
$usercfg
->
{
pools
}})
{
foreach
my
$pool
(
keys
%
{
$usercfg
->
{
pools
}})
{
next
if
!
$rpcenv
->
check
(
$authuser
,
"
/pool/
$pool
",
[
'
Pool.Allocate
'
],
1
);
my
$entry
=
{
poolid
=>
$pool
};
my
$entry
=
{
poolid
=>
$pool
};
my
$data
=
$usercfg
->
{
pools
}
->
{
$pool
};
my
$data
=
$usercfg
->
{
pools
}
->
{
$pool
};
$entry
->
{
comment
}
=
$data
->
{
comment
}
if
defined
(
$data
->
{
comment
});
$entry
->
{
comment
}
=
$data
->
{
comment
}
if
defined
(
$data
->
{
comment
});
...
@@ -64,7 +68,7 @@ __PACKAGE__->register_method ({
...
@@ -64,7 +68,7 @@ __PACKAGE__->register_method ({
path
=>
'',
path
=>
'',
method
=>
'
POST
',
method
=>
'
POST
',
permissions
=>
{
permissions
=>
{
check
=>
['
perm
',
'
/
access
',
['
Sys.Modify
']],
check
=>
['
perm
',
'
/
pool/{poolid}
',
['
Pool.Allocate
']],
},
},
description
=>
"
Create new pool.
",
description
=>
"
Create new pool.
",
parameters
=>
{
parameters
=>
{
...
@@ -104,7 +108,8 @@ __PACKAGE__->register_method ({
...
@@ -104,7 +108,8 @@ __PACKAGE__->register_method ({
path
=>
'
{poolid}
',
path
=>
'
{poolid}
',
method
=>
'
PUT
',
method
=>
'
PUT
',
permissions
=>
{
permissions
=>
{
check
=>
['
perm
',
'
/access
',
['
Sys.Modify
']],
description
=>
"
You aslo need the right to modify permissions on any object you add/delete.
",
check
=>
['
perm
',
'
/pool/{poolid}
',
['
Pool.Allocate
']],
},
},
description
=>
"
Update pool data.
",
description
=>
"
Update pool data.
",
parameters
=>
{
parameters
=>
{
...
@@ -133,6 +138,9 @@ __PACKAGE__->register_method ({
...
@@ -133,6 +138,9 @@ __PACKAGE__->register_method ({
code
=>
sub
{
code
=>
sub
{
my
(
$param
)
=
@_
;
my
(
$param
)
=
@_
;
my
$rpcenv
=
PVE::RPCEnvironment::
get
();
my
$authuser
=
$rpcenv
->
get_user
();
PVE::AccessControl::
lock_user_config
(
PVE::AccessControl::
lock_user_config
(
sub
{
sub
{
...
@@ -149,6 +157,7 @@ __PACKAGE__->register_method ({
...
@@ -149,6 +157,7 @@ __PACKAGE__->register_method ({
if
(
defined
(
$param
->
{
vms
}))
{
if
(
defined
(
$param
->
{
vms
}))
{
foreach
my
$vmid
(
PVE::Tools::
split_list
(
$param
->
{
vms
}))
{
foreach
my
$vmid
(
PVE::Tools::
split_list
(
$param
->
{
vms
}))
{
$rpcenv
->
check_perm_modify
(
$authuser
,
"
/vms/
$vmid
");
if
(
$param
->
{
delete
})
{
if
(
$param
->
{
delete
})
{
die
"
VM
$vmid
is not a pool member
\n
"
die
"
VM
$vmid
is not a pool member
\n
"
if
!
$data
->
{
vms
}
->
{
$vmid
};
if
!
$data
->
{
vms
}
->
{
$vmid
};
...
@@ -168,6 +177,7 @@ __PACKAGE__->register_method ({
...
@@ -168,6 +177,7 @@ __PACKAGE__->register_method ({
if
(
defined
(
$param
->
{
storage
}))
{
if
(
defined
(
$param
->
{
storage
}))
{
foreach
my
$storeid
(
PVE::Tools::
split_list
(
$param
->
{
storage
}))
{
foreach
my
$storeid
(
PVE::Tools::
split_list
(
$param
->
{
storage
}))
{
$rpcenv
->
check_perm_modify
(
$authuser
,
"
/storage/
$storeid
");
if
(
$param
->
{
delete
})
{
if
(
$param
->
{
delete
})
{
die
"
Storage '
$storeid
' is not a pool member
\n
"
die
"
Storage '
$storeid
' is not a pool member
\n
"
if
!
$data
->
{
storage
}
->
{
$storeid
};
if
!
$data
->
{
storage
}
->
{
$storeid
};
...
@@ -192,9 +202,9 @@ __PACKAGE__->register_method ({
...
@@ -192,9 +202,9 @@ __PACKAGE__->register_method ({
path
=>
'
{poolid}
',
path
=>
'
{poolid}
',
method
=>
'
GET
',
method
=>
'
GET
',
permissions
=>
{
permissions
=>
{
check
=>
['
perm
',
'
/
access
',
['
Sys.Audit
']],
check
=>
['
perm
',
'
/
pool/{poolid}
',
['
Pool.Allocate
']],
},
},
description
=>
"
Get
group
configuration.
",
description
=>
"
Get
pool
configuration.
",
parameters
=>
{
parameters
=>
{
additionalProperties
=>
0
,
additionalProperties
=>
0
,
properties
=>
{
properties
=>
{
...
@@ -274,9 +284,10 @@ __PACKAGE__->register_method ({
...
@@ -274,9 +284,10 @@ __PACKAGE__->register_method ({
path
=>
'
{poolid}
',
path
=>
'
{poolid}
',
method
=>
'
DELETE
',
method
=>
'
DELETE
',
permissions
=>
{
permissions
=>
{
check
=>
['
perm
',
'
/access
',
['
Sys.Modify
']],
description
=>
"
You can only delete empty pools (no members).
",
check
=>
['
perm
',
'
/pool/{poolid}
',
['
Pool.Allocate
']],
},
},
description
=>
"
Delete
group
.
",
description
=>
"
Delete
pool
.
",
parameters
=>
{
parameters
=>
{
additionalProperties
=>
0
,
additionalProperties
=>
0
,
properties
=>
{
properties
=>
{
...
@@ -287,6 +298,9 @@ __PACKAGE__->register_method ({
...
@@ -287,6 +298,9 @@ __PACKAGE__->register_method ({
code
=>
sub
{
code
=>
sub
{
my
(
$param
)
=
@_
;
my
(
$param
)
=
@_
;
my
$rpcenv
=
PVE::RPCEnvironment::
get
();
my
$authuser
=
$rpcenv
->
get_user
();
PVE::AccessControl::
lock_user_config
(
PVE::AccessControl::
lock_user_config
(
sub
{
sub
{
...
@@ -298,7 +312,10 @@ __PACKAGE__->register_method ({
...
@@ -298,7 +312,10 @@ __PACKAGE__->register_method ({
die
"
pool '
$pool
' does not exist
\n
"
die
"
pool '
$pool
' does not exist
\n
"
if
!
$data
;
if
!
$data
;
die
"
pool '
$pool
' is not empty
\n
"
if
scalar
(
keys
%
{
$data
->
{
vms
}})
||
scalar
(
keys
%
{
$data
->
{
storage
}});
delete
(
$usercfg
->
{
pools
}
->
{
$pool
});
delete
(
$usercfg
->
{
pools
}
->
{
$pool
});
PVE::AccessControl::
delete_pool_acl
(
$pool
,
$usercfg
);
PVE::AccessControl::
delete_pool_acl
(
$pool
,
$usercfg
);
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment