tyler/proxmox-backup
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

use reasonable acl paths

Browse Source
This commit is contained in:
Dietmar Maurer
2020-04-30 09:30:00 +02:00
parent 7f402dafb7
commit 74c08a5782
10 changed files with 104 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
src/api2/access/acl.rs
View File

@ -5,7 +5,7 @@ use proxmox::api::{api, Router, RpcEnvironment, Permission};
use crate::api2::types::*;
use crate::config::acl;
use crate::config::acl::{Role, PRIV_SYS_AUDIT, PRIV_SYS_MODIFY};
use crate::config::acl::{Role, PRIV_SYS_AUDIT, PRIV_PERMISSIONS_MODIFY};
#[api(
properties: {
@ -37,19 +37,6 @@ pub struct AclListItem {
roleid: String,
}
fn check_acl_path(path: &str) -> Result<(), Error> {
let components = acl::split_acl_path(path);
if components.is_empty() { return Ok(()); }
if components.len() == 2 {
if components[0] == "datastore" { return Ok(()); }
}
bail!("invalid acl path '{}'.", path);
}
fn extract_acl_node_data(
node: &acl::AclTreeNode,
path: &str,
@ -92,7 +79,7 @@ fn extract_acl_node_data(
}
},
access: {
permission: &Permission::Privilege(&[], PRIV_SYS_AUDIT, false),
permission: &Permission::Privilege(&["access", "acl"], PRIV_SYS_AUDIT, false),
},
)]
/// Read Access Control List (ACLs).
@ -144,7 +131,7 @@ pub fn read_acl(
},
},
access: {
permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
permission: &Permission::Privilege(&["access", "acl"], PRIV_PERMISSIONS_MODIFY, false),
},
)]
/// Update Access Control List (ACLs).
@ -186,7 +173,7 @@ pub fn update_acl(
}
if !delete { // Note: we allow to delete entries with invalid path
check_acl_path(&path)?;
acl::check_acl_path(&path)?;
}
if let Some(userid) = userid {

10
src/api2/access/user.rs
View File

@ -56,7 +56,7 @@ pub const PBS_PASSWORD_SCHEMA: Schema = StringSchema::new("User Password.")
},
},
access: {
permission: &Permission::Privilege(&[], PRIV_SYS_AUDIT, false),
permission: &Permission::Privilege(&["access", "users"], PRIV_SYS_AUDIT, false),
},
)]
/// List all users
@ -111,7 +111,7 @@ pub fn list_users(
},
},
access: {
permission: &Permission::Privilege(&[], PRIV_PERMISSIONS_MODIFY, false),
permission: &Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
},
)]
/// Create new user.
@ -154,7 +154,7 @@ pub fn create_user(userid: String, password: Option<String>, param: Value) -> Re
type: user::User,
},
access: {
permission: &Permission::Privilege(&[], PRIV_SYS_AUDIT, false),
permission: &Permission::Privilege(&["access", "users"], PRIV_SYS_AUDIT, false),
},
)]
/// Read user configuration data.
@ -208,7 +208,7 @@ pub fn read_user(userid: String) -> Result<Value, Error> {
},
},
access: {
permission: &Permission::Privilege(&[], PRIV_PERMISSIONS_MODIFY, false),
permission: &Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
},
)]
/// Update user configuration.
@ -290,7 +290,7 @@ pub fn update_user(
},
},
access: {
permission: &Permission::Privilege(&[], PRIV_PERMISSIONS_MODIFY, false),
permission: &Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
},
)]
/// Remove a user from the configuration file.