previously limited to root@pam; we can allow SUs to use these options if
they have the privilege on the whole API path.
Signed-off-by: Oguz Bektas <o.bek...@proxmox.com>
---
PVE/API2/Backup.pm | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/PVE/API2/Backup.pm b/PVE/API2/Backup.pm
index 5d36789a..286996b5 100644
--- a/PVE/API2/Backup.pm
+++ b/PVE/API2/Backup.pm
@@ -41,10 +41,13 @@ my $vzdump_job_id_prop = {
my $assert_param_permission = sub {
my ($param, $user) = @_;
- return if $user eq 'root@pam'; # always OK
+ return if $user eq 'root@pam'; # root@pam always OK
+
+ my $rpcenv = PVE::RPCEnvironment::get();
+ return if $rpcenv->check($user, "/", ['SuperUser'], 1); # SuperUser on /,
always OK
for my $key (qw(tmpdir dumpdir script)) {
- raise_param_exc({ $key => "Only root may set this option."}) if exists
$param->{$key};
+ raise_param_exc({ $key => "Only superusers may set this option."}) if
exists $param->{$key};
}
};
@@ -143,7 +146,7 @@ __PACKAGE__->register_method({
description => "Create new vzdump backup job.",
permissions => {
check => ['perm', '/', ['Sys.Modify']],
- description => "The 'tmpdir', 'dumpdir' and 'script' parameters are
additionally restricted to the 'root\@pam' user.",
+ description => "The 'tmpdir', 'dumpdir' and 'script' parameters are
additionally restricted to superusers.",
},
parameters => {
additionalProperties => 0,
@@ -345,7 +348,7 @@ __PACKAGE__->register_method({
description => "Update vzdump backup job definition.",
permissions => {
check => ['perm', '/', ['Sys.Modify']],
- description => "The 'tmpdir', 'dumpdir' and 'script' parameters are
additionally restricted to the 'root\@pam' user.",
+ description => "The 'tmpdir', 'dumpdir' and 'script' parameters are
additionally restricted to superusers.",
},
parameters => {
additionalProperties => 0,
--
2.30.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
