On November 16, 2022 9:47 am, Dominik Csapak wrote:
> most of the points are clear and ok for me, but
> [snip]
>>> + format => $user_tag_privs_format,
>>> + },
>>> + 'privileged-tags' => {
>>> + optional => 1,
>>> + type => 'string',
>>> + description => "A list of tags that require a `Sys.Modify` on '/')
>>> to set and delete. "
>>> + ."Tags set here that are also in 'user-tag-access' also require
>>> `Sys.Modify`.",
>>> + pattern =>
>>> "(?:${PVE::JSONSchema::PVE_TAG_RE};)*${PVE::JSONSchema::PVE_TAG_RE}",
>>> + typetext => "<tag>[;<tag>...]",
>>
>> stray 'a' and ')' in first sentence.
>>
>> I am not sure the second sentence is necessary, or rather, wouldn't it be
>> better
>> to make the two lists mutually exclusive? e.g., by removing privileged tags
>> from
>> the other list?
>
> i don't really want to auto remove stuff from one option when set on another.
> maybe it'd make more sense if we don't allow setting and admin tag when
> it's already set in the 'user-allow-list' and vice versa? then
> there cannot be a situation where a tag is in both lists at the same time?
forbidding it on the API level (and maybe, to catch bugs, when writing the
config) is only part of it though - such duplicates would need to be filtered
out when parsing as well, else they can sneak in via a manual config file edit.
but yeah, that would work as well I think.
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
