src/api2/admin/datastore.rs - get_datastore_list: only return name and comment
We dont want to leak the full configuration to users with limited access permission. Please use the api2::config::datastore api to get the full configuration.
This commit is contained in:
parent
0a00f6e01c
commit
30fb602578
@ -660,6 +660,22 @@ pub fn garbage_collection_status(
|
||||
}
|
||||
|
||||
#[api(
|
||||
returns: {
|
||||
description: "List the accessible datastores.",
|
||||
type: Array,
|
||||
items: {
|
||||
description: "Datastore name and description.",
|
||||
properties: {
|
||||
store: {
|
||||
schema: DATASTORE_SCHEMA,
|
||||
},
|
||||
comment: {
|
||||
optional: true,
|
||||
schema: SINGLE_LINE_COMMENT_SCHEMA,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
access: {
|
||||
permission: &Permission::Anybody,
|
||||
},
|
||||
@ -676,15 +692,21 @@ fn get_datastore_list(
|
||||
let username = rpcenv.get_user().unwrap();
|
||||
let user_info = CachedUserInfo::new()?;
|
||||
|
||||
let mut skip: Vec<&str> = Vec::new();
|
||||
let mut list = Vec::new();
|
||||
|
||||
for (store, _) in &config.sections {
|
||||
for (store, (_, data)) in &config.sections {
|
||||
let user_privs = user_info.lookup_privs(&username, &["datastore", &store]);
|
||||
let allowed = (user_privs & (PRIV_DATASTORE_AUDIT| PRIV_DATASTORE_BACKUP)) != 0;
|
||||
if !allowed { skip.push(store); }
|
||||
if allowed {
|
||||
let mut entry = json!({ "store": store });
|
||||
if let Some(comment) = data["comment"].as_str() {
|
||||
entry["comment"] = comment.into();
|
||||
}
|
||||
list.push(entry);
|
||||
}
|
||||
}
|
||||
|
||||
Ok(config.convert_to_array("store", None, &skip))
|
||||
Ok(list.into())
|
||||
}
|
||||
|
||||
#[sortable]
|
||||
|
Loading…
Reference in New Issue
Block a user