Re: [pve-devel] [PATCH qemu-server v9 1/1] api: update: improve tag privilege check

Tue, 15 Nov 2022 00:34:54 -0800 

a small nit inline

On 11/14/22 10:43, Dominik Csapak wrote:

'normal' tags require 'VM.Config.Options' on '/vm/<vmid>', but not
allowed tags (either limited with 'user-tag-access' or 'privileged-tags'
in the datacenter config) require 'Sys.Modify' on '/'

this patch implements the proper checks on adding/editing/deleting
these permissions

Signed-off-by: Dominik Csapak <d.csa...@proxmox.com>
---
changes from v8:
* adapt to 'get_allowed_tags'
* cache privilege checks (so we don't have to do it when many tags change)
  PVE/API2/Qemu.pm | 53 +++++++++++++++++++++++++++++++++++++++++++++++-
  1 file changed, 52 insertions(+), 1 deletion(-)

diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index 30348e6..269451c 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -539,7 +539,6 @@ my $generaloptions = {
      'startup' => 1,
      'tdf' => 1,
      'template' => 1,
-    'tags' => 1,
  };
my $vmpoweroptions = { 
@@ -609,6 +608,7 @@ my $check_vm_modify_config_perm = sub {
        next if PVE::QemuServer::is_valid_drivename($opt);
        next if $opt eq 'cdrom';
        next if $opt =~ m/^(?:unused|serial|usb)\d+$/;
+       next if $opt eq 'tags';
if ($cpuoptions->{$opt} || $opt =~ m/^numa\d+$/) { 
@@ -1631,6 +1631,31 @@ my $update_vm_api  = sub {
                }
            };
+ my $allowed_tags; 
+           my $privileged_tags;
+           my $freeform;
+           my $privileged_user = $rpcenv->check($authuser, '/', 
['Sys.Modify'], 1);
+           my $has_config_options =
+               $rpcenv->check_vm_perm($authuser, $vmid, undef, 
['VM.Config.Options'], 1);
+
+           my $check_tag_perms = sub {
+               my ($tag) = @_;
+
+               return if $privileged_user;
+
+               $rpcenv->check_vm_perm($authuser, $vmid, undef, 
['VM.Config.Options'])
+                   if !$has_config_options;
+
+               if (!defined($allowed_tags) && !defined($privileged_tags) && 
!defined($freeform)) {
+                   ($allowed_tags, $privileged_tags, $freeform)
+                       = PVE::DataCenterConfig::get_allowed_tags($rpcenv, 
$authuser);
+               }
+
+               if ((!$allowed_tags->{$tag} && !$freeform) || 
$privileged_tags->{$tag}) {
+                   die "'Sys.Modify' required on '/' for modifying tag $tag\n" 
if !$privileged_user;
would be nice if the tag would be within '. Putting $tag into {} would be a bit cleaner as well: 

... for modifying tag '${tag}'\n" ...



+               }
+           };

[...]


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Reply via email to