fix permission tests using non-uri parameters

We nood to do those tests inside the fuction body instead...
This commit is contained in:
Dietmar Maurer 2020-04-18 08:23:04 +02:00
parent a737179eb4
commit 365f0f720c
3 changed files with 31 additions and 8 deletions

View File

@ -15,6 +15,7 @@ use crate::server::{WorkerTask, H2Service};
use crate::backup::*;
use crate::api2::types::*;
use crate::config::acl::PRIV_DATASTORE_ALLOCATE_SPACE;
use crate::config::cached_user_info::CachedUserInfo;
mod environment;
use environment::*;
@ -38,7 +39,11 @@ pub const API_METHOD_UPGRADE_BACKUP: ApiMethod = ApiMethod::new(
("debug", true, &BooleanSchema::new("Enable verbose debug logging.").schema()),
]),
)
).access(None, &Permission::Privilege(&["datastore", "{store}"], PRIV_DATASTORE_ALLOCATE_SPACE, false));
).access(
// Note: parameter 'store' is no uri parameter, so we need to test inside function body
Some("The user needs Datastore.AllocateSpace privilege on /datastore/{store}."),
&Permission::Anybody
);
fn upgrade_to_backup_protocol(
parts: Parts,
@ -51,7 +56,13 @@ fn upgrade_to_backup_protocol(
async move {
let debug = param["debug"].as_bool().unwrap_or(false);
let username = rpcenv.get_user().unwrap();
let store = tools::required_string_param(&param, "store")?.to_owned();
let user_info = CachedUserInfo::new()?;
user_info.check_privs(&username, &["datastore", &store], PRIV_DATASTORE_ALLOCATE_SPACE, false)?;
let datastore = DataStore::lookup_datastore(&store)?;
let backup_type = tools::required_string_param(&param, "backup-type")?;
@ -74,7 +85,6 @@ fn upgrade_to_backup_protocol(
let worker_id = format!("{}_{}_{}", store, backup_type, backup_id);
let username = rpcenv.get_user().unwrap();
let env_type = rpcenv.env_type();
let backup_group = BackupGroup::new(backup_type, backup_id);

View File

@ -17,6 +17,7 @@ use crate::client::*;
use crate::config::remote;
use crate::api2::types::*;
use crate::config::acl::PRIV_DATASTORE_ALLOCATE_SPACE;
use crate::config::cached_user_info::CachedUserInfo;
// fixme: implement filters
// fixme: delete vanished groups
@ -389,10 +390,9 @@ pub async fn pull_store(
},
},
access: {
permission: &Permission::And(&[
&Permission::Privilege(&["datastore", "{store}"], PRIV_DATASTORE_ALLOCATE_SPACE, false),
&Permission::Privilege(&["remote", "{store}"], PRIV_DATASTORE_ALLOCATE_SPACE, false),
]),
// Note: used parameters are no uri parameters, so we need to test inside function body
description: "The user needs Datastore.AllocateSpace privilege on '/datastore/{store}' and '/remote/{remote}/{remote-store}'.",
permission: &Permission::Anybody,
},
)]
/// Sync store from other repository
@ -405,7 +405,11 @@ async fn pull (
rpcenv: &mut dyn RpcEnvironment,
) -> Result<String, Error> {
let user_info = CachedUserInfo::new()?;
let username = rpcenv.get_user().unwrap();
user_info.check_privs(&username, &["datastore", &store], PRIV_DATASTORE_ALLOCATE_SPACE, false)?;
user_info.check_privs(&username, &["remote", &remote, &remote_store], PRIV_DATASTORE_ALLOCATE_SPACE, false)?;
let delete = delete.unwrap_or(true);

View File

@ -16,6 +16,7 @@ use crate::backup::*;
use crate::server::{WorkerTask, H2Service};
use crate::tools;
use crate::config::acl::PRIV_DATASTORE_ALLOCATE_SPACE;
use crate::config::cached_user_info::CachedUserInfo;
mod environment;
use environment::*;
@ -42,7 +43,11 @@ pub const API_METHOD_UPGRADE_BACKUP: ApiMethod = ApiMethod::new(
("debug", true, &BooleanSchema::new("Enable verbose debug logging.").schema()),
]),
)
).access(None, &Permission::Privilege(&["datastore", "{store}"], PRIV_DATASTORE_ALLOCATE_SPACE, false));
).access(
// Note: parameter 'store' is no uri parameter, so we need to test inside function body
Some("The user needs Datastore.AllocateSpace privilege on /datastore/{store}."),
&Permission::Anybody
);
fn upgrade_to_backup_reader_protocol(
parts: Parts,
@ -55,7 +60,12 @@ fn upgrade_to_backup_reader_protocol(
async move {
let debug = param["debug"].as_bool().unwrap_or(false);
let username = rpcenv.get_user().unwrap();
let store = tools::required_string_param(&param, "store")?.to_owned();
let user_info = CachedUserInfo::new()?;
user_info.check_privs(&username, &["datastore", &store], PRIV_DATASTORE_ALLOCATE_SPACE, false)?;
let datastore = DataStore::lookup_datastore(&store)?;
let backup_type = tools::required_string_param(&param, "backup-type")?;
@ -76,7 +86,6 @@ fn upgrade_to_backup_reader_protocol(
bail!("unexpected http version '{:?}' (expected version < 2)", parts.version);
}
let username = rpcenv.get_user().unwrap();
let env_type = rpcenv.env_type();
let backup_dir = BackupDir::new(backup_type, backup_id, backup_time);