On 11/16/22 09:54, Thomas Lamprecht wrote:
Am 16/11/2022 um 09:47 schrieb Dominik Csapak:
I am not sure the second sentence is necessary, or rather, wouldn't it be better
to make the two lists mutually exclusive? e.g., by removing privileged tags from
the other list?
i don't really want to auto remove stuff from one option when set on another.
maybe it'd make more sense if we don't allow setting and admin tag when
it's already set in the 'user-allow-list' and vice versa? then
there cannot be a situation where a tag is in both lists at the same time?
Limits use cases, as we'll only ever allow priv'd tags to be used for things
like backup job guest-source selection, and there may be scenarios where an
admin wants to allow the user to set a specific privileged tags in the VMs
they control.
To make that work we'd:
- explicitly allow such listed tags for "normal" VM users even if they're in the
privileged-tags (that's why I used the term "registered" in previous
comments,
might be better suited if we deem that privileged is then confusing)
- highlight the fact if a tag is in both
ok, then i have to change the permission checking code (currently i forbid
'normal' users the tag if it was in the 'privileged-tags' section, regardless
if it was in the 'user-allow-list' or not)
how would you highlight that? a warning on the cli/syslog/etc. is not
visible, but on the ui we don't really have an obvious place to do so
i could try to add a seperate 'warning' row in the object grid when
that happens, not sure if that's what you meant though
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
