[pve-devel] [PATCH manager v11 02/13] api: allow all users to (partially) read datacenter.cfg

Wed, 16 Nov 2022 07:49:52 -0800 

it contains most ui relevant options, like the console preference and tag-style
so allow these for users without 'Sys.Audit' on '/'
(unchanged for all others)

we also add the list of allowed tags. while not strictly a datacenter
config, it's derived from the current users privileges and the
datacenter config.

Signed-off-by: Dominik Csapak <d.csa...@proxmox.com>
---
 PVE/API2.pm         |  3 ++-
 PVE/API2/Cluster.pm | 24 ++++++++++++++++++++++--
 2 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/PVE/API2.pm b/PVE/API2.pm
index a42561604..6703b941a 100644
--- a/PVE/API2.pm
+++ b/PVE/API2.pm
@@ -5,6 +5,7 @@ use warnings;
 
 use PVE::pvecfg;
 use PVE::DataCenterConfig;
+use PVE::GuestHelpers;
 use PVE::RESTHandler;
 use PVE::JSONSchema;
 
@@ -118,6 +119,7 @@ __PACKAGE__->register_method ({
 
        my $res = {};
 
+       # TODO remove with next major release
        my $datacenter_confg = eval { 
PVE::Cluster::cfs_read_file('datacenter.cfg') } // {};
        for my $k (qw(console)) {
            $res->{$k} = $datacenter_confg->{$k} if exists 
$datacenter_confg->{$k};
@@ -129,5 +131,4 @@ __PACKAGE__->register_method ({
 
        return $res;
     }});
-
 1;
diff --git a/PVE/API2/Cluster.pm b/PVE/API2/Cluster.pm
index 3ca85caa4..a06dc83a2 100644
--- a/PVE/API2/Cluster.pm
+++ b/PVE/API2/Cluster.pm
@@ -10,6 +10,7 @@ use PVE::Cluster qw(cfs_register_file cfs_lock_file 
cfs_read_file cfs_write_file
 use PVE::DataCenterConfig;
 use PVE::Exception qw(raise_param_exc);
 use PVE::Firewall;
+use PVE::GuestHelpers;
 use PVE::HA::Config;
 use PVE::HA::Env::PVE2;
 use PVE::INotify;
@@ -542,8 +543,9 @@ __PACKAGE__->register_method({
     name => 'get_options',
     path => 'options',
     method => 'GET',
-    description => "Get datacenter options.",
+    description => "Get datacenter options. Without 'Sys.Audit' on '/' not all 
options are returned.",
     permissions => {
+       user => 'all',
        check => ['perm', '/', [ 'Sys.Audit' ]],
     },
     parameters => {
@@ -557,7 +559,25 @@ __PACKAGE__->register_method({
     code => sub {
        my ($param) = @_;
 
-       return PVE::Cluster::cfs_read_file('datacenter.cfg');
+       my $res = {};
+
+       my $rpcenv = PVE::RPCEnvironment::get();
+       my $authuser = $rpcenv->get_user();
+
+       my $datacenter_config = eval { 
PVE::Cluster::cfs_read_file('datacenter.cfg') } // {};
+
+       if ($rpcenv->check($authuser, '/', ['Sys.Audit'], 1)) {
+           $res = $datacenter_config;
+       } else {
+           for my $k (qw(console tag-style)) {
+               $res->{$k} = $datacenter_config->{$k} if exists 
$datacenter_config->{$k};
+           }
+       }
+
+       my $tags = PVE::GuestHelpers::get_allowed_tags($rpcenv, $authuser);
+       $res->{'allowed-tags'} = [sort keys $tags->%*];
+
+       return $res;
     }});
 
 __PACKAGE__->register_method({
-- 
2.30.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Reply via email to