diff --git a/src/api2/access/acl.rs b/src/api2/access/acl.rs index 20dac485..71a7406e 100644 --- a/src/api2/access/acl.rs +++ b/src/api2/access/acl.rs @@ -66,6 +66,19 @@ pub struct AclListItem { roleid: String, } +fn check_acl_path(path: &str) -> Result<(), Error> { + + let path = acl::split_acl_path(path); + + if path.is_empty() { return Ok(()); } + + if path.len() == 2 { + if path[0] == "storage" { return Ok(()); } + } + + bail!("invalid acl path."); +} + fn extract_acl_node_data( node: &acl::AclTreeNode, path: &str, @@ -182,7 +195,7 @@ pub fn update_acl( let delete = delete.unwrap_or(false); - if let Some(ref group) = group { + if let Some(ref _group) = group { bail!("parameter 'group' - groups are currently not supported."); } else if let Some(ref userid) = userid { if !delete { // Note: we allow to delete non-existent users @@ -195,6 +208,10 @@ pub fn update_acl( bail!("missing 'userid' or 'group' parameter."); } + if !delete { // Note: we allow to delete entries with invalid path + check_acl_path(&path); + } + if let Some(userid) = userid { if delete { tree.delete_user_role(&path, &userid, &role); diff --git a/src/config/acl.rs b/src/config/acl.rs index f12aa21e..ab43e5a8 100644 --- a/src/config/acl.rs +++ b/src/config/acl.rs @@ -52,7 +52,7 @@ lazy_static! { }; } -fn split_acl_path(path: &str) -> Vec<&str> { +pub fn split_acl_path(path: &str) -> Vec<&str> { let items = path.split('/');