From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 8E2E71FF17A for ; Fri, 18 Jul 2025 11:30:01 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 4E80B18704; Fri, 18 Jul 2025 11:30:37 +0200 (CEST) From: Fiona Ebner To: pve-devel@lists.proxmox.com Date: Fri, 18 Jul 2025 11:30:13 +0200 Message-ID: <20250718093024.55570-8-f.ebner@proxmox.com> X-Mailer: git-send-email 2.47.2 In-Reply-To: <20250718093024.55570-1-f.ebner@proxmox.com> References: <20250718093024.55570-1-f.ebner@proxmox.com> MIME-Version: 1.0 X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1752831026103 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.028 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pve-devel] [PATCH manager 7/9] api: replication: fix usages of RPCEnvironment check method X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" The RPCEnvironment's check() method is used without $noerr, so it will already fail and raise a permission exception when the privilege is missing. The usage in the job_status endpoint can be simplified, as the raise_perm_exc() there is dead code. The other two usages actually want to set the $noerr argument. In particular, this makes it possible to use the 'status' endpoint, when the user does not have VM.Audit for all guests with a replication job and to read the log with only Sys.Audit privilege on the node. Both would previously fail, because the check for VM.Audit would raise an exception already. Signed-off-by: Fiona Ebner --- PVE/API2/Replication.pm | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/PVE/API2/Replication.pm b/PVE/API2/Replication.pm index 7d048f53..c8416239 100644 --- a/PVE/API2/Replication.pm +++ b/PVE/API2/Replication.pm @@ -236,7 +236,7 @@ __PACKAGE__->register_method({ my $data = $extract_job_status->($jobs->{$id}, $id); my $guest = $data->{guest}; next if defined($param->{guest}) && $guest != $param->{guest}; - next if !$rpcenv->check($authuser, "/vms/$guest", ['VM.Audit']); + next if !$rpcenv->check($authuser, "/vms/$guest", ['VM.Audit'], 1); push @$res, $data; } @@ -311,7 +311,7 @@ __PACKAGE__->register_method({ my $data = $extract_job_status->($jobcfg, $jobid); my $guest = $data->{guest}; - raise_perm_exc() if !$rpcenv->check($authuser, "/vms/$guest", ['VM.Audit']); + $rpcenv->check($authuser, "/vms/$guest", ['VM.Audit']); return $data; }, @@ -381,8 +381,8 @@ __PACKAGE__->register_method({ my $vmid = $data->{guest}; raise_perm_exc() if (!( - $rpcenv->check($authuser, "/vms/$vmid", ['VM.Audit']) - || $rpcenv->check($authuser, "/nodes/$node", ['Sys.Audit']) + $rpcenv->check($authuser, "/vms/$vmid", ['VM.Audit'], 1) + || $rpcenv->check($authuser, "/nodes/$node", ['Sys.Audit'], 1) )); my ($count, $lines) = -- 2.47.2 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel