From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <s.ivanov@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id D075070283
 for <pmg-devel@lists.proxmox.com>; Fri,  3 Sep 2021 12:56:09 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id CE4F51A5BE
 for <pmg-devel@lists.proxmox.com>; Fri,  3 Sep 2021 12:56:09 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS id 0A6271A5AE
 for <pmg-devel@lists.proxmox.com>; Fri,  3 Sep 2021 12:56:08 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id D3BF44455D
 for <pmg-devel@lists.proxmox.com>; Fri,  3 Sep 2021 12:56:07 +0200 (CEST)
Date: Fri, 3 Sep 2021 12:56:06 +0200
From: Stoiko Ivanov <s.ivanov@proxmox.com>
To: Oguz Bektas <o.bektas@proxmox.com>
Cc: pmg-devel@lists.proxmox.com, Thomas Lamprecht <t.lamprecht@proxmox.com>
Message-ID: <20210903125606.556881f6@rosa.proxmox.com>
In-Reply-To: <20210902084712.42924-1-o.bektas@proxmox.com>
References: <20210902084712.42924-1-o.bektas@proxmox.com>
X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.411 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [apt.pm, proxmox.com]
Subject: [pmg-devel] applied: [PATCH v2 pmg-api] api: apt: use actual
 pmg-style permission for endpoint schema
X-BeenThere: pmg-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Mail Gateway development discussion
 <pmg-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pmg-devel>, 
 <mailto:pmg-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pmg-devel/>
List-Post: <mailto:pmg-devel@lists.proxmox.com>
List-Help: <mailto:pmg-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel>, 
 <mailto:pmg-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Fri, 03 Sep 2021 10:56:09 -0000

huge thanks for the patch - tested and applied

On Thu,  2 Sep 2021 10:47:12 +0200
Oguz Bektas <o.bektas@proxmox.com> wrote:

> it wrongly uses the permission model from PVE, which caused the
> endpoints to be root-only as a side effect, since PMG API doesn't
> recognize the PVE-specific permissions.
> 
> fix those to allow PMG users with administrator role to add/delete
> repositories, and auditor role to view the repositories.
> 
> reported in a forum thread [0]
> 
> [0]:
> https://forum.proxmox.com/threads/no-apt-repo-information-for-non-root-on-the-web-gui.95217/
> 
> Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
> Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
> ---
> v1->v2:
> * update commit message and explain the root cause
> 
>  src/PMG/API2/APT.pm | 12 +++---------
>  1 file changed, 3 insertions(+), 9 deletions(-)
> 
> diff --git a/src/PMG/API2/APT.pm b/src/PMG/API2/APT.pm
> index 5e132c4..18bb992 100644
> --- a/src/PMG/API2/APT.pm
> +++ b/src/PMG/API2/APT.pm
> @@ -477,9 +477,7 @@ __PACKAGE__->register_method({
>      method => 'GET',
>      proxyto => 'node',
>      description => "Get APT repository information.",
> -    permissions => {
> -	check => ['perm', '/nodes/{node}', [ 'Sys.Audit' ]],
> -    },
> +    permissions => { check => [ 'admin', 'audit' ] },
>      parameters => {
>  	additionalProperties => 0,
>  	properties => {
> @@ -678,9 +676,7 @@ __PACKAGE__->register_method({
>      path => 'repositories',
>      method => 'PUT',
>      description => "Add a standard repository to the configuration",
> -    permissions => {
> -	check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
> -    },
> +    permissions => { check => [ 'admin' ] },
>      protected => 1,
>      proxyto => 'node',
>      parameters => {
> @@ -713,9 +709,7 @@ __PACKAGE__->register_method({
>      path => 'repositories',
>      method => 'POST',
>      description => "Change the properties of a repository. Currently only allows enabling/disabling.",
> -    permissions => {
> -	check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
> -    },
> +    permissions => { check => [ 'admin' ] },
>      protected => 1,
>      proxyto => 'node',
>      parameters => {