all lists on lists.proxmox.com
 help / color / mirror / Atom feed
From: Dominik Csapak <d.csapak@proxmox.com>
To: pdm-devel@lists.proxmox.com
Subject: [pdm-devel] [PATCH datacenter-manager 2/8] server: api: subscription: include basic info about remotes without permissions
Date: Mon,  1 Dec 2025 11:39:04 +0100	[thread overview]
Message-ID: <20251201103917.1357369-5-d.csapak@proxmox.com> (raw)
In-Reply-To: <20251201103917.1357369-1-d.csapak@proxmox.com>

to enable a global permission check that reaches over all remotes,
we have to return (very basic) info about remotes even when the user
don't have permissions for these remotes. In that case, only return the
subscription state, but not the remote name or node details.

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
alternatively, we could try to return a different structure with just,
counts, but this would achieve the same effect, but we'd need to handle
two different api calls/return values, this way it's always the same,
and the remote names aren't interesting to us for the checks anyway

 server/src/api/resources.rs | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/server/src/api/resources.rs b/server/src/api/resources.rs
index 22871362..6fd96b64 100644
--- a/server/src/api/resources.rs
+++ b/server/src/api/resources.rs
@@ -608,7 +608,7 @@ pub async fn get_subscription_status(
 
     let view = views::get_optional_view(view.as_deref())?;
 
-    let check_priv = |remote_name: &str| -> bool {
+    let check_priv = move |remote_name: &str| -> bool {
         user_info
             .check_privs(
                 &auth_id,
@@ -624,11 +624,10 @@ pub async fn get_subscription_status(
             if view.can_skip_remote(&remote_name) {
                 continue;
             }
-        } else if !allow_all && !check_priv(&remote_name) {
-            continue;
         }
 
         let view = view.clone();
+        let check_priv = check_priv.clone();
 
         let future = async move {
             let (node_status, error) =
@@ -664,6 +663,13 @@ pub async fn get_subscription_status(
                 RemoteSubscriptionState::Unknown
             };
 
+            let (remote_name, verbose) = if !allow_all && !check_priv(&remote_name) {
+                // prevent info leak
+                ("".to_string(), false)
+            } else {
+                (remote_name, verbose)
+            };
+
             Some(RemoteSubscriptions {
                 remote: remote_name,
                 error,
-- 
2.47.3



_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel


  parent reply	other threads:[~2025-12-01 10:39 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-12-01 10:39 [pdm-devel] [PATCH datacenter-manager/yew-comp 00/10] add subscription checks to apt repository updates & login Dominik Csapak
2025-12-01 10:39 ` [pdm-devel] [PATCH yew-comp 1/2] subscription: refactor api subscription check for showing the alert Dominik Csapak
2025-12-01 10:39 ` [pdm-devel] [PATCH yew-comp 2/2] apt package manager: add optional subscription check on 'Refresh' button Dominik Csapak
2025-12-01 10:39 ` [pdm-devel] [PATCH datacenter-manager 1/8] server: api: subscription: fix permission check Dominik Csapak
2025-12-01 10:39 ` Dominik Csapak [this message]
2025-12-01 10:39 ` [pdm-devel] [PATCH datacenter-manager 3/8] server: api: subscription: add remote type to subscription info Dominik Csapak
2025-12-01 10:39 ` [pdm-devel] [PATCH datacenter-manager 4/8] ui: login: enable subscription check Dominik Csapak
2025-12-01 10:39 ` [pdm-devel] [PATCH datacenter-manager 5/8] server: api: pve/pbs: node: add subscription api call Dominik Csapak
2025-12-01 10:39 ` [pdm-devel] [PATCH datacenter-manager 6/8] ui: pve/pbs: updates: add subscription_url Dominik Csapak
2025-12-01 10:39 ` [pdm-devel] [PATCH datacenter-manager 7/8] ui: refactor check_subscription into lib Dominik Csapak
2025-12-01 10:39 ` [pdm-devel] [PATCH datacenter-manager 8/8] ui: remote updates: add subscription check on 'Refresh all' Dominik Csapak
2025-12-01 13:54 ` [pdm-devel] superseded: [PATCH datacenter-manager/yew-comp 00/10] add subscription checks to apt repository updates & login Dominik Csapak

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20251201103917.1357369-5-d.csapak@proxmox.com \
    --to=d.csapak@proxmox.com \
    --cc=pdm-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal