src/api2/admin/datastore.rs - get_datastore_list: only return name and comment

We dont want to leak the full configuration to users with limited access permission. Please use the api2::config::datastore api to get the full configuration.
2020-04-29 09:21:34 +02:00 · 2020-04-29 09:21:34 +02:00 · 30fb602578
parent 0a00f6e01c
commit 30fb602578
1 changed files with 26 additions and 4 deletions
--- a/src/api2/admin/datastore.rs
+++ b/src/api2/admin/datastore.rs
@ -660,6 +660,22 @@ pub fn garbage_collection_status(
 }

 #[api(
+    returns: {
+        description: "List the accessible datastores.",
+        type: Array,
+        items: {
+            description: "Datastore name and description.",
+            properties: {
+                store: {
+                    schema: DATASTORE_SCHEMA,
+                },
+                comment: {
+                    optional: true,
+                    schema: SINGLE_LINE_COMMENT_SCHEMA,
+                },
+            },
+        },
+    },
    access: {
        permission: &Permission::Anybody,
    },
@ -676,15 +692,21 @@ fn get_datastore_list(
    let username = rpcenv.get_user().unwrap();
    let user_info = CachedUserInfo::new()?;

-    let mut skip: Vec<&str> = Vec::new();
+    let mut list = Vec::new();

-    for (store, _) in &config.sections {
+    for (store, (_, data)) in &config.sections {
        let user_privs = user_info.lookup_privs(&username, &["datastore", &store]);
        let allowed = (user_privs & (PRIV_DATASTORE_AUDIT| PRIV_DATASTORE_BACKUP)) != 0;
-        if !allowed { skip.push(store); }
+        if allowed {
+            let mut entry = json!({ "store": store });
+            if let Some(comment) = data["comment"].as_str() {
+                entry["comment"] = comment.into();
+            }
+            list.push(entry);
+        }
    }

-    Ok(config.convert_to_array("store", None, &skip))
+    Ok(list.into())
 }

 #[sortable]