From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id B513C1FF183 for ; Wed, 8 Oct 2025 15:44:11 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 588089C09; Wed, 8 Oct 2025 15:44:17 +0200 (CEST) From: Dominik Csapak To: pbs-devel@lists.proxmox.com Date: Wed, 8 Oct 2025 15:43:31 +0200 Message-ID: <20251008134344.3512958-3-d.csapak@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20251008134344.3512958-1-d.csapak@proxmox.com> References: <20251008134344.3512958-1-d.csapak@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.123 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment POISEN_SPAM_PILL 0.1 Meta: its spam POISEN_SPAM_PILL_1 0.1 random spam to be learned in bayes POISEN_SPAM_PILL_3 0.1 random spam to be learned in bayes SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pbs-devel] [PATCH proxmox-backup v2 1/6] backup: hierarchy: add new can_access_any_namespace_below helper X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" sometimes we need to check the permissions in a range from a starting namespace with a certain depth. Signed-off-by: Dominik Csapak --- changes from v1: * rename helper from 'can_access_any_namespace_in_range' src/backup/hierarchy.rs | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/src/backup/hierarchy.rs b/src/backup/hierarchy.rs index 8dd71fcf7..febcb9a83 100644 --- a/src/backup/hierarchy.rs +++ b/src/backup/hierarchy.rs @@ -68,19 +68,21 @@ pub fn check_ns_privs_full( ); } -pub fn can_access_any_namespace( +/// Checks if the given user has read/access rights on any namespace on the given datastore, +/// beginning with `start_ns` up to `max_depth` below. +pub fn can_access_any_namespace_below( store: Arc, auth_id: &Authid, user_info: &CachedUserInfo, + parent_ns: Option, + max_depth: Option, ) -> bool { + let ns = parent_ns.unwrap_or_default(); // NOTE: traversing the datastore could be avoided if we had an "ACL tree: is there any priv // below /datastore/{store}" helper - let mut iter = - if let Ok(iter) = store.recursive_iter_backup_ns_ok(BackupNamespace::root(), None) { - iter - } else { - return false; - }; + let Ok(mut iter) = store.recursive_iter_backup_ns_ok(ns, max_depth) else { + return false; + }; let wanted = PRIV_DATASTORE_AUDIT | PRIV_DATASTORE_MODIFY | PRIV_DATASTORE_READ | PRIV_DATASTORE_BACKUP; let name = store.name(); @@ -90,6 +92,15 @@ pub fn can_access_any_namespace( }) } +/// Checks if the given user has read/access rights on any namespace on given datastore +pub fn can_access_any_namespace( + store: Arc, + auth_id: &Authid, + user_info: &CachedUserInfo, +) -> bool { + can_access_any_namespace_below(store, auth_id, user_info, None, None) +} + /// A privilege aware iterator for all backup groups in all Namespaces below an anchor namespace, /// most often that will be the `BackupNamespace::root()` one. /// -- 2.47.3 _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel