fix permission tests using non-uri parameters
We nood to do those tests inside the fuction body instead...
This commit is contained in:
Dietmar Maurer
parent
a737179eb4
commit
365f0f720c
@ -15,6 +15,7 @@ use crate::server::{WorkerTask, H2Service};
|
|||||||
use crate::backup::*;
|
use crate::backup::*;
|
||||||
use crate::api2::types::*;
|
use crate::api2::types::*;
|
||||||
use crate::config::acl::PRIV_DATASTORE_ALLOCATE_SPACE;
|
use crate::config::acl::PRIV_DATASTORE_ALLOCATE_SPACE;
|
||||||
|
use crate::config::cached_user_info::CachedUserInfo;
|
||||||
|
|
||||||
mod environment;
|
mod environment;
|
||||||
use environment::*;
|
use environment::*;
|
||||||
@ -38,7 +39,11 @@ pub const API_METHOD_UPGRADE_BACKUP: ApiMethod = ApiMethod::new(
|
|||||||
("debug", true, &BooleanSchema::new("Enable verbose debug logging.").schema()),
|
("debug", true, &BooleanSchema::new("Enable verbose debug logging.").schema()),
|
||||||
]),
|
]),
|
||||||
)
|
)
|
||||||
).access(None, &Permission::Privilege(&["datastore", "{store}"], PRIV_DATASTORE_ALLOCATE_SPACE, false));
|
).access(
|
||||||
|
// Note: parameter 'store' is no uri parameter, so we need to test inside function body
|
||||||
|
Some("The user needs Datastore.AllocateSpace privilege on /datastore/{store}."),
|
||||||
|
&Permission::Anybody
|
||||||
|
);
|
||||||
|
|
||||||
fn upgrade_to_backup_protocol(
|
fn upgrade_to_backup_protocol(
|
||||||
parts: Parts,
|
parts: Parts,
|
||||||
@ -51,7 +56,13 @@ fn upgrade_to_backup_protocol(
|
|||||||
async move {
|
async move {
|
||||||
let debug = param["debug"].as_bool().unwrap_or(false);
|
let debug = param["debug"].as_bool().unwrap_or(false);
|
||||||
|
|
||||||
|
let username = rpcenv.get_user().unwrap();
|
||||||
|
|
||||||
let store = tools::required_string_param(¶m, "store")?.to_owned();
|
let store = tools::required_string_param(¶m, "store")?.to_owned();
|
||||||
|
|
||||||
|
let user_info = CachedUserInfo::new()?;
|
||||||
|
user_info.check_privs(&username, &["datastore", &store], PRIV_DATASTORE_ALLOCATE_SPACE, false)?;
|
||||||
|
|
||||||
let datastore = DataStore::lookup_datastore(&store)?;
|
let datastore = DataStore::lookup_datastore(&store)?;
|
||||||
|
|
||||||
let backup_type = tools::required_string_param(¶m, "backup-type")?;
|
let backup_type = tools::required_string_param(¶m, "backup-type")?;
|
||||||
@ -74,7 +85,6 @@ fn upgrade_to_backup_protocol(
|
|||||||
|
|
||||||
let worker_id = format!("{}_{}_{}", store, backup_type, backup_id);
|
let worker_id = format!("{}_{}_{}", store, backup_type, backup_id);
|
||||||
|
|
||||||
let username = rpcenv.get_user().unwrap();
|
|
||||||
let env_type = rpcenv.env_type();
|
let env_type = rpcenv.env_type();
|
||||||
|
|
||||||
let backup_group = BackupGroup::new(backup_type, backup_id);
|
let backup_group = BackupGroup::new(backup_type, backup_id);
|
||||||
|
|||||||
@ -17,6 +17,7 @@ use crate::client::*;
|
|||||||
use crate::config::remote;
|
use crate::config::remote;
|
||||||
use crate::api2::types::*;
|
use crate::api2::types::*;
|
||||||
use crate::config::acl::PRIV_DATASTORE_ALLOCATE_SPACE;
|
use crate::config::acl::PRIV_DATASTORE_ALLOCATE_SPACE;
|
||||||
|
use crate::config::cached_user_info::CachedUserInfo;
|
||||||
|
|
||||||
// fixme: implement filters
|
// fixme: implement filters
|
||||||
// fixme: delete vanished groups
|
// fixme: delete vanished groups
|
||||||
@ -389,10 +390,9 @@ pub async fn pull_store(
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
access: {
|
access: {
|
||||||
permission: &Permission::And(&[
|
// Note: used parameters are no uri parameters, so we need to test inside function body
|
||||||
&Permission::Privilege(&["datastore", "{store}"], PRIV_DATASTORE_ALLOCATE_SPACE, false),
|
description: "The user needs Datastore.AllocateSpace privilege on '/datastore/{store}' and '/remote/{remote}/{remote-store}'.",
|
||||||
&Permission::Privilege(&["remote", "{store}"], PRIV_DATASTORE_ALLOCATE_SPACE, false),
|
permission: &Permission::Anybody,
|
||||||
]),
|
|
||||||
},
|
},
|
||||||
)]
|
)]
|
||||||
/// Sync store from other repository
|
/// Sync store from other repository
|
||||||
@ -405,7 +405,11 @@ async fn pull (
|
|||||||
rpcenv: &mut dyn RpcEnvironment,
|
rpcenv: &mut dyn RpcEnvironment,
|
||||||
) -> Result<String, Error> {
|
) -> Result<String, Error> {
|
||||||
|
|
||||||
|
let user_info = CachedUserInfo::new()?;
|
||||||
|
|
||||||
let username = rpcenv.get_user().unwrap();
|
let username = rpcenv.get_user().unwrap();
|
||||||
|
user_info.check_privs(&username, &["datastore", &store], PRIV_DATASTORE_ALLOCATE_SPACE, false)?;
|
||||||
|
user_info.check_privs(&username, &["remote", &remote, &remote_store], PRIV_DATASTORE_ALLOCATE_SPACE, false)?;
|
||||||
|
|
||||||
let delete = delete.unwrap_or(true);
|
let delete = delete.unwrap_or(true);
|
||||||
|
|
||||||
|
|||||||
@ -16,6 +16,7 @@ use crate::backup::*;
|
|||||||
use crate::server::{WorkerTask, H2Service};
|
use crate::server::{WorkerTask, H2Service};
|
||||||
use crate::tools;
|
use crate::tools;
|
||||||
use crate::config::acl::PRIV_DATASTORE_ALLOCATE_SPACE;
|
use crate::config::acl::PRIV_DATASTORE_ALLOCATE_SPACE;
|
||||||
|
use crate::config::cached_user_info::CachedUserInfo;
|
||||||
|
|
||||||
mod environment;
|
mod environment;
|
||||||
use environment::*;
|
use environment::*;
|
||||||
@ -42,7 +43,11 @@ pub const API_METHOD_UPGRADE_BACKUP: ApiMethod = ApiMethod::new(
|
|||||||
("debug", true, &BooleanSchema::new("Enable verbose debug logging.").schema()),
|
("debug", true, &BooleanSchema::new("Enable verbose debug logging.").schema()),
|
||||||
]),
|
]),
|
||||||
)
|
)
|
||||||
).access(None, &Permission::Privilege(&["datastore", "{store}"], PRIV_DATASTORE_ALLOCATE_SPACE, false));
|
).access(
|
||||||
|
// Note: parameter 'store' is no uri parameter, so we need to test inside function body
|
||||||
|
Some("The user needs Datastore.AllocateSpace privilege on /datastore/{store}."),
|
||||||
|
&Permission::Anybody
|
||||||
|
);
|
||||||
|
|
||||||
fn upgrade_to_backup_reader_protocol(
|
fn upgrade_to_backup_reader_protocol(
|
||||||
parts: Parts,
|
parts: Parts,
|
||||||
@ -55,7 +60,12 @@ fn upgrade_to_backup_reader_protocol(
|
|||||||
async move {
|
async move {
|
||||||
let debug = param["debug"].as_bool().unwrap_or(false);
|
let debug = param["debug"].as_bool().unwrap_or(false);
|
||||||
|
|
||||||
|
let username = rpcenv.get_user().unwrap();
|
||||||
let store = tools::required_string_param(¶m, "store")?.to_owned();
|
let store = tools::required_string_param(¶m, "store")?.to_owned();
|
||||||
|
|
||||||
|
let user_info = CachedUserInfo::new()?;
|
||||||
|
user_info.check_privs(&username, &["datastore", &store], PRIV_DATASTORE_ALLOCATE_SPACE, false)?;
|
||||||
|
|
||||||
let datastore = DataStore::lookup_datastore(&store)?;
|
let datastore = DataStore::lookup_datastore(&store)?;
|
||||||
|
|
||||||
let backup_type = tools::required_string_param(¶m, "backup-type")?;
|
let backup_type = tools::required_string_param(¶m, "backup-type")?;
|
||||||
@ -76,7 +86,6 @@ fn upgrade_to_backup_reader_protocol(
|
|||||||
bail!("unexpected http version '{:?}' (expected version < 2)", parts.version);
|
bail!("unexpected http version '{:?}' (expected version < 2)", parts.version);
|
||||||
}
|
}
|
||||||
|
|
||||||
let username = rpcenv.get_user().unwrap();
|
|
||||||
let env_type = rpcenv.env_type();
|
let env_type = rpcenv.env_type();
|
||||||
|
|
||||||
let backup_dir = BackupDir::new(backup_type, backup_id, backup_time);
|
let backup_dir = BackupDir::new(backup_type, backup_id, backup_time);
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user