On March 11, 2022 12:24 pm, Oguz Bektas wrote:
> Signed-off-by: Oguz Bektas <o.bek...@proxmox.com>
> ---
> PVE/API2/Qemu.pm | 59 ++++++++++++++++++++++++++++++++----------------
> 1 file changed, 40 insertions(+), 19 deletions(-)
>
> diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
> index 21fc82b..95cc46d 100644
> --- a/PVE/API2/Qemu.pm
> +++ b/PVE/API2/Qemu.pm
> @@ -1126,8 +1126,8 @@ my $update_vm_api = sub {
> my $is_superuser = $authuser eq 'root@pam' || $rpcenv->check($authuser,
> "/vms/$vmid", ['SuperUser'], 1);
>
> my $skiplock = extract_param($param, 'skiplock');
> - raise_param_exc({ skiplock => "Only root may use this option." })
> - if $skiplock && $authuser ne 'root@pam';
> + raise_param_exc({ skiplock => "Only superusers may use this option." })
> + if $skiplock && !$is_superuser;
>
> my $delete_str = extract_param($param, 'delete');
>
> @@ -1645,9 +1645,11 @@ __PACKAGE__->register_method({
> my $authuser = $rpcenv->get_user();
> my $vmid = $param->{vmid};
>
> + my $is_superuser = $authuser eq 'root@pam' || $rpcenv->check($authuser,
> "/vms/$vmid", ['SuperUser'], 1);
nit: line too long
> +
> my $skiplock = $param->{skiplock};
> - raise_param_exc({ skiplock => "Only root may use this option." })
> - if $skiplock && $authuser ne 'root@pam';
> + raise_param_exc({ skiplock => "Only superusers may use this option." })
> + if $skiplock && !$is_superuser;
>
> my $early_checks = sub {
> # test if VM exists
> @@ -2290,6 +2292,12 @@ __PACKAGE__->register_method({
> my $timeout = extract_param($param, 'timeout');
> my $machine = extract_param($param, 'machine');
>
> + my $is_superuser = $authuser eq 'root@pam' || $rpcenv->check($authuser,
> "/vms/$vmid", ['SuperUser'], 1);
same
> +
> + my $skiplock = extract_param($param, 'skiplock');
> + raise_param_exc({ skiplock => "Only superusers may use this option." })
> + if $skiplock && !$is_superuser;
> +
> my $get_root_param = sub {
> my $value = extract_param($param, $_[0]);
> raise_param_exc({ "$_[0]" => "Only root may use this option." })
> @@ -2298,7 +2306,6 @@ __PACKAGE__->register_method({
> };
>
a comment here that this are intentionally still root@pam because they
are only used for migration-internal flows (and marking them as such in
the parameter description) would be nice..
> my $stateuri = $get_root_param->('stateuri');
> - my $skiplock = $get_root_param->('skiplock');
> my $migratedfrom = $get_root_param->('migratedfrom');
> my $migration_type = $get_root_param->('migration_type');
> my $migration_network = $get_root_param->('migration_network');
> @@ -2436,9 +2443,11 @@ __PACKAGE__->register_method({
> my $node = extract_param($param, 'node');
> my $vmid = extract_param($param, 'vmid');
>
> + my $is_superuser = $authuser eq 'root@pam' || $rpcenv->check($authuser,
> "/vms/$vmid", ['SuperUser'], 1);
same
> +
> my $skiplock = extract_param($param, 'skiplock');
> - raise_param_exc({ skiplock => "Only root may use this option." })
> - if $skiplock && $authuser ne 'root@pam';
> + raise_param_exc({ skiplock => "Only superusers may use this option." })
> + if $skiplock && !$is_superuser;
>
> my $keepActive = extract_param($param, 'keepActive');
> raise_param_exc({ keepActive => "Only root may use this option." })
and same for these here (keepactive -> vzdump, migratedfrom ->
migration)
> @@ -2513,9 +2522,11 @@ __PACKAGE__->register_method({
>
> my $vmid = extract_param($param, 'vmid');
>
> + my $is_superuser = $authuser eq 'root@pam' || $rpcenv->check($authuser,
> "/vms/$vmid", ['SuperUser'], 1);
same
> +
> my $skiplock = extract_param($param, 'skiplock');
> - raise_param_exc({ skiplock => "Only root may use this option." })
> - if $skiplock && $authuser ne 'root@pam';
> + raise_param_exc({ skiplock => "Only superusers may use this option." })
> + if $skiplock && !$is_superuser;
>
> die "VM $vmid not running\n" if !PVE::QemuServer::check_running($vmid);
>
> @@ -2580,9 +2591,11 @@ __PACKAGE__->register_method({
> my $node = extract_param($param, 'node');
> my $vmid = extract_param($param, 'vmid');
>
> + my $is_superuser = $authuser eq 'root@pam' || $rpcenv->check($authuser,
> "/vms/$vmid", ['SuperUser'], 1);
same
> +
> my $skiplock = extract_param($param, 'skiplock');
> - raise_param_exc({ skiplock => "Only root may use this option." })
> - if $skiplock && $authuser ne 'root@pam';
> + raise_param_exc({ skiplock => "Only superusers may use this option." })
> + if $skiplock && !$is_superuser;
>
> my $keepActive = extract_param($param, 'keepActive');
> raise_param_exc({ keepActive => "Only root may use this option." })
again, comment here and in schema description would be nice
> @@ -2739,9 +2752,11 @@ __PACKAGE__->register_method({
>
> my $statestorage = extract_param($param, 'statestorage');
>
> + my $is_superuser = $authuser eq 'root@pam' || $rpcenv->check($authuser,
> "/vms/$vmid", ['SuperUser'], 1);
again
> +
> my $skiplock = extract_param($param, 'skiplock');
> - raise_param_exc({ skiplock => "Only root may use this option." })
> - if $skiplock && $authuser ne 'root@pam';
> + raise_param_exc({ skiplock => "Only superusers may use this option." })
> + if $skiplock && !$is_superuser;
>
> die "VM $vmid not running\n" if !PVE::QemuServer::check_running($vmid);
>
> @@ -2811,9 +2826,11 @@ __PACKAGE__->register_method({
>
> my $vmid = extract_param($param, 'vmid');
>
> + my $is_superuser = $authuser eq 'root@pam' || $rpcenv->check($authuser,
> "/vms/$vmid", ['SuperUser'], 1);
same
> +
> my $skiplock = extract_param($param, 'skiplock');
> - raise_param_exc({ skiplock => "Only root may use this option." })
> - if $skiplock && $authuser ne 'root@pam';
> + raise_param_exc({ skiplock => "Only superusers may use this option." })
> + if $skiplock && !$is_superuser;
>
> my $nocheck = extract_param($param, 'nocheck');
> raise_param_exc({ nocheck => "Only root may use this option." })
and comment here again (migration?)
> @@ -2883,9 +2900,11 @@ __PACKAGE__->register_method({
>
> my $vmid = extract_param($param, 'vmid');
>
> + my $is_superuser = $authuser eq 'root@pam' || $rpcenv->check($authuser,
> "/vms/$vmid", ['SuperUser'], 1);
> +
> my $skiplock = extract_param($param, 'skiplock');
> - raise_param_exc({ skiplock => "Only root may use this option." })
> - if $skiplock && $authuser ne 'root@pam';
> + raise_param_exc({ skiplock => "Only superusers may use this option." })
> + if $skiplock && !$is_superuser;
>
> PVE::QemuServer::vm_sendkey($vmid, $skiplock, $param->{key});
>
> @@ -4114,9 +4133,11 @@ __PACKAGE__->register_method({
>
> my $sizestr = extract_param($param, 'size');
>
> + my $is_superuser = $authuser eq 'root@pam' || $rpcenv->check($authuser,
> "/vms/$vmid", ['SuperUser'], 1);
> +
> my $skiplock = extract_param($param, 'skiplock');
> - raise_param_exc({ skiplock => "Only root may use this option." })
> - if $skiplock && $authuser ne 'root@pam';
> + raise_param_exc({ skiplock => "Only superusers may use this option."
> })
> + if $skiplock && !$is_superuser;
>
> my $storecfg = PVE::Storage::config();
>
> --
> 2.30.2
>
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>
>
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
