src/api2/admin/datastore.rs - get_datastore_list: only return name and comment

We dont want to leak the full configuration to users with limited access permission.
Please use the api2::config::datastore api to get the full configuration.
This commit is contained in:
Dietmar Maurer 2020-04-29 09:21:34 +02:00
parent 0a00f6e01c
commit 30fb602578

View File

@ -660,6 +660,22 @@ pub fn garbage_collection_status(
}
#[api(
returns: {
description: "List the accessible datastores.",
type: Array,
items: {
description: "Datastore name and description.",
properties: {
store: {
schema: DATASTORE_SCHEMA,
},
comment: {
optional: true,
schema: SINGLE_LINE_COMMENT_SCHEMA,
},
},
},
},
access: {
permission: &Permission::Anybody,
},
@ -676,15 +692,21 @@ fn get_datastore_list(
let username = rpcenv.get_user().unwrap();
let user_info = CachedUserInfo::new()?;
let mut skip: Vec<&str> = Vec::new();
let mut list = Vec::new();
for (store, _) in &config.sections {
for (store, (_, data)) in &config.sections {
let user_privs = user_info.lookup_privs(&username, &["datastore", &store]);
let allowed = (user_privs & (PRIV_DATASTORE_AUDIT| PRIV_DATASTORE_BACKUP)) != 0;
if !allowed { skip.push(store); }
if allowed {
let mut entry = json!({ "store": store });
if let Some(comment) = data["comment"].as_str() {
entry["comment"] = comment.into();
}
list.push(entry);
}
}
Ok(config.convert_to_array("store", None, &skip))
Ok(list.into())
}
#[sortable]