[pdm-devel] [PATCH datacenter-manager/proxmox/yew-comp v4 00/10] add support for checking acl permissions in (yew) front-ends

From: Shannon Sterz <s.sterz@proxmox.com>
To: pdm-devel@lists.proxmox.com
Subject: [pdm-devel] [PATCH datacenter-manager/proxmox/yew-comp v4 00/10] add support for checking acl permissions in (yew) front-ends
Date: Fri, 14 Nov 2025 15:43:08 +0100	[thread overview]
Message-ID: <20251114144318.317322-1-s.sterz@proxmox.com> (raw)

this patch series adds support for querying acl entries from the
front-end. it also makes it possible to reactively render ui components
depending on the user's privileges and refreshes this information every
time a new ticket is set.

the series is structured as such:

1. proxmox, «access-control: add acl feature to only expose types and
   the AclTree»: creates a new feature that exposes only it and some
   types to dependent crates.
2. proxmox, «access-control: use format strings where possible»: a
   small clean up commit that moves variables into format strings
   where possible.
3. proxmox, «access-control: move functions querying privileges to the
   AclTree»: functions that basically just query the AclTree are moved
   to the AclTree itself to make it easier to re-use them.
4. proxmox: «access-control: derive Debug and PartialEq on AclTree and
   AclTreeNode»: derives Debug and PartialEq on the AclTree and
   AclTreeNode to make it easier to handle these types in the ui.
5. proxmox: «access-control: allow reading all acls of the current
   authid»: allows to querying all of a user's acl entries via the
   API_METHOD_READ_ACL endpoint.
6. yew-comp: «acl_context: add AclContext and AclContextProvider»: adds
   an AclContext and AclContextProvider to proxmox-yew-comp. these
   allow applications to provide acl information that components can
   hook into and get reactively re-rendered.
7. yew-comp: «http_helpers: reload LocalAclTree when logging in or
   refreshing a ticket»: so that the ui can be rendered according to
   the current acls for the user.
8. datacenter-manager: «move AccessControlConfig to pdm-api-types»: so
   we can re-use it in the front-end. then an
9. datacenter-manager: «ui: add an AclContext via the AclContextProvider
   to the main app ui»: allows components to hook into the AclContext
   and be re-rendered when it changes.
10. datacenter-manager: «ui: main menu: use the AclContext to hide the
    Notes if appropriate»: shows how the new AclContext can be used to
    only render relevant ui components.

Follow-up
---------

if this series is applied, more ui components will need to be hooked
into the context to more widely use this functionality accross the
application.

Changelog
---------

note that there was already a v2 [1] of this series, but this was a mistake
and should be considered a v1. sorry for the confusion.

changes since v3:

- fix up a typo, thanks @ Lukas Wagner
- extract Roles via `AclTreeNode::extract_roles` to prepare for
  potential group features, thanks @ Fabian Grünbichler

note: after some offline discussion i left the AccessControlConfig in
pdm-api-types. we can easily move everything there out into a separate
crate still and it's not really a public api. so changing should be
easy enough.

changes since v2:

- combine impl only functions into private modules and impl blocks to
  more cleanly separate them out (thanks @ Wolfgang Bumiller)
- add a small clean up commit for in-lining format string variables

changes since v1:

- move removing a use line to the right commit (thanks @ Dominik Csapak)
- instead of adapting the NodesView, simply avoid setting an on_submit
  callback if the user doesn't have the permissions (thanks @ Dominik
  Csapak)

proxmox:

Shannon Sterz (5):
  access-control: add acl feature to only expose types and the AclTree
  access-control: use format strings where possible
  access-control: move functions querying privileges to the AclTree
  access-control: derive Debug and PartialEq on AclTree and AclTreeNode
  access-control: allow reading all acls of the current authid

 proxmox-access-control/Cargo.toml             |   5 +-
 proxmox-access-control/src/acl.rs             | 509 +++++++++++-------
 proxmox-access-control/src/api/acl.rs         | 101 ++--
 .../src/cached_user_info.rs                   |  91 +---
 proxmox-access-control/src/init.rs            |  91 ++--
 proxmox-access-control/src/lib.rs             |   4 +-
 proxmox-access-control/src/token_shadow.rs    |   2 +-
 proxmox-access-control/src/user.rs            |   3 +-
 8 files changed, 455 insertions(+), 351 deletions(-)

proxmox-yew-comp:

Shannon Sterz (2):
  acl_context: add AclContext and AclContextProvider
  http_helpers: reload LocalAclTree when logging in or refreshing a
    ticket

 Cargo.toml          |   2 +-
 src/acl_context.rs  | 204 ++++++++++++++++++++++++++++++++++++++++++++
 src/http_helpers.rs |   5 ++
 src/lib.rs          |   3 +
 4 files changed, 213 insertions(+), 1 deletion(-)
 create mode 100644 src/acl_context.rs

proxmox-datacenter-manager:

Shannon Sterz (3):
  pdm-acl: create pdm-acl crate
  ui: add an AclContext via the AclContextProvider to the main app ui
  ui: main menu: use the AclContext to hide the Notes if appropriate

 lib/pdm-api-types/Cargo.toml |   1 +
 lib/pdm-api-types/src/acl.rs | 164 +++++++++++++++++++++++++++++++++-
 server/src/acl.rs            | 168 +----------------------------------
 ui/Cargo.toml                |   1 +
 ui/src/main.rs               |  14 ++-
 ui/src/main_menu.rs          |  68 +++++++++-----
 6 files changed, 226 insertions(+), 190 deletions(-)

Summary over all repositories:
  18 files changed, 894 insertions(+), 542 deletions(-)

--
Generated by git-murpp 0.8.1

_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel