commit 052fbb2a4d1bdeb490b2e3b67cd7555e460ebe93 introduced permission
checks here that caused all regular bridges to be removed from the
returned list as soon as the SDN package is installed, unless the user
is root@pam or there exists a VNET with the same ID.
this is arguably a breaking change, so limit the priv check to actually
defined VNETs for the time being, and add ALL regular bridges
uncondtionally like before.
get_local_vnets already filters by the same prvs, so we need to get the
full config to find out which IDs are VNETs and which are not.
once/iff we introduce ACL paths for *all* bridges in the future, we can
limit accordingly here.
CC: Alexandre Derumier <aderum...@odiso.com>
Signed-off-by: Fabian Grünbichler <f.gruenbich...@proxmox.com>
---
PVE/API2/Network.pm | 3 +++
1 file changed, 3 insertions(+)
diff --git a/PVE/API2/Network.pm b/PVE/API2/Network.pm
index 214ab50a..a43579fa 100644
--- a/PVE/API2/Network.pm
+++ b/PVE/API2/Network.pm
@@ -240,13 +240,16 @@ __PACKAGE__->register_method({
if (my $tfilter = $param->{type}) {
my $vnets;
+ my $vnet_cfg;
my $can_access_vnet = sub { # only matters for the $have_sdn case,
checked implict
return 1 if $authuser eq 'root@pam' || !defined($vnets);
+ return 1 if
!defined(PVE::Network::SDN::Vnets::sdn_vnets_config($vnet_cfg, $_[0], 1)); #
not a vnet
$rpcenv->check_any($authuser, "/sdn/vnets/$_[0]", ['SDN.Audit',
'SDN.Allocate'], 1)
};
if ($have_sdn && $param->{type} eq 'any_bridge') {
$vnets = PVE::Network::SDN::get_local_vnets(); # returns
already access-filtered
+ $vnet_cfg = PVE::Network::SDN::Vnets::config();
}
for my $k (sort keys $ifaces->%*) {
--
2.30.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
