tyler/proxmox-backup
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

api: backup create: make permission check namespace aware

Browse Source 
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
Thomas Lamprecht 2022-05-05 19:26:04 +02:00
parent 7d6fc15b20
commit cabda57f0a
1 changed files with 12 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
src/api2/backup/mod.rs
View File

@ -54,7 +54,7 @@ pub const API_METHOD_UPGRADE_BACKUP: ApiMethod = ApiMethod::new(
) )
).access( ).access(
// Note: parameter 'store' is no uri parameter, so we need to test inside function body // Note: parameter 'store' is no uri parameter, so we need to test inside function body
Some("The user needs Datastore.Backup privilege on /datastore/{store} and needs to own the backup group."), Some("Requires on /datastore/{store}[/{namespace}] DATASTORE_BACKUP and being the owner of the group"),
&Permission::Anybody &Permission::Anybody
); );
@ -72,19 +72,22 @@ fn upgrade_to_backup_protocol(
let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?; let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
let store = required_string_param(&param, "store")?.to_owned(); let store = required_string_param(&param, "store")?.to_owned();
let backup_dir_arg = pbs_api_types::BackupDir::deserialize(&param)?;
let backup_ns = &backup_dir_arg.group.ns;
let user_info = CachedUserInfo::new()?; let user_info = CachedUserInfo::new()?;
user_info.check_privs(
&auth_id, let privs = if backup_ns.is_root() {
&["datastore", &store], user_info.lookup_privs(&auth_id, &["datastore", &store])
PRIV_DATASTORE_BACKUP, } else {
false, user_info.lookup_privs(&auth_id, &["datastore", &store, &backup_ns.to_string()])
)?; };
if privs & PRIV_DATASTORE_BACKUP == 0 {
proxmox_router::http_bail!(FORBIDDEN, "permission check failed");
}
let datastore = DataStore::lookup_datastore(&store, Some(Operation::Write))?; let datastore = DataStore::lookup_datastore(&store, Some(Operation::Write))?;
let backup_dir_arg = pbs_api_types::BackupDir::deserialize(&param)?;
let protocols = parts let protocols = parts
.headers .headers
.get("UPGRADE") .get("UPGRADE")