From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox-backup 2/2] api: allow tokens to list users
Date: Wed, 30 Dec 2020 12:21:14 +0100 [thread overview]
Message-ID: <20201230112114.424764-2-f.gruenbichler@proxmox.com> (raw)
In-Reply-To: <20201230112114.424764-1-f.gruenbichler@proxmox.com>
their owner, or all if they have the appropriate privileges.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
Notes:
this seems benign enough. an otherwise unprivileged API token can still not
list any tokens, but that would require more changes..
src/api2/access/user.rs | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/src/api2/access/user.rs b/src/api2/access/user.rs
index 72c79def..9ac9bbfa 100644
--- a/src/api2/access/user.rs
+++ b/src/api2/access/user.rs
@@ -1,4 +1,4 @@
-use anyhow::{bail, Error};
+use anyhow::{bail, format_err, Error};
use serde::{Serialize, Deserialize};
use serde_json::{json, Value};
use std::collections::HashMap;
@@ -94,7 +94,6 @@ impl UserWithTokens {
}
}
-
#[api(
input: {
properties: {
@@ -113,7 +112,7 @@ impl UserWithTokens {
},
access: {
permission: &Permission::Anybody,
- description: "Returns all or just the logged-in user, depending on privileges.",
+ description: "Returns all or just the logged-in user (/API token owner), depending on privileges.",
},
)]
/// List users
@@ -125,9 +124,12 @@ pub fn list_users(
let (config, digest) = user::config()?;
- // intentionally user only for now
- let userid: Userid = rpcenv.get_auth_id().unwrap().parse()?;
- let auth_id = Authid::from(userid.clone());
+ let auth_id: Authid = rpcenv
+ .get_auth_id()
+ .ok_or_else(|| format_err!("no authid available"))?
+ .parse()?;
+
+ let userid = auth_id.user();
let user_info = CachedUserInfo::new()?;
@@ -135,7 +137,7 @@ pub fn list_users(
let top_level_allowed = (top_level_privs & PRIV_SYS_AUDIT) != 0;
let filter_by_privs = |user: &user::User| {
- top_level_allowed || user.userid == userid
+ top_level_allowed || user.userid == *userid
};
--
2.20.1
next prev parent reply other threads:[~2020-12-30 11:21 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-30 11:21 [pbs-devel] [PATCH proxmox-backup 1/2] api: improve error messages for restricted endpoints Fabian Grünbichler
2020-12-30 11:21 ` Fabian Grünbichler [this message]
2020-12-31 7:29 ` [pbs-devel] applied: " Dietmar Maurer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201230112114.424764-2-f.gruenbichler@proxmox.com \
--to=f.gruenbichler@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.