all lists on lists.proxmox.com
 help / color / mirror / Atom feed
* [pbs-devel] [PATCH proxmox-backup 1/2] pull: fix permission checks for local syncs
@ 2023-11-28 14:16 Hannes Laimer
  2023-11-28 14:16 ` [pbs-devel] [PATCH proxmox-backup 2/2] ui: fix changing remote to local sync job Hannes Laimer
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Hannes Laimer @ 2023-11-28 14:16 UTC (permalink / raw)
  To: pbs-devel

Reported-by: Dominik Csapak <d.csapak@proxmox.com>
Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
---
 src/api2/config/sync.rs | 10 ++++------
 src/server/pull.rs      |  6 +++---
 2 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/src/api2/config/sync.rs b/src/api2/config/sync.rs
index ea0e08f1..8809465c 100644
--- a/src/api2/config/sync.rs
+++ b/src/api2/config/sync.rs
@@ -8,8 +8,8 @@ use proxmox_schema::{api, param_bail};
 
 use pbs_api_types::{
     Authid, SyncJobConfig, SyncJobConfigUpdater, JOB_ID_SCHEMA, PRIV_DATASTORE_AUDIT,
-    PRIV_DATASTORE_BACKUP, PRIV_DATASTORE_MODIFY, PRIV_DATASTORE_PRUNE, PRIV_DATASTORE_READ,
-    PRIV_REMOTE_AUDIT, PRIV_REMOTE_READ, PROXMOX_CONFIG_DIGEST_SCHEMA,
+    PRIV_DATASTORE_BACKUP, PRIV_DATASTORE_MODIFY, PRIV_DATASTORE_PRUNE, PRIV_REMOTE_AUDIT,
+    PRIV_REMOTE_READ, PROXMOX_CONFIG_DIGEST_SCHEMA,
 };
 use pbs_config::sync;
 
@@ -70,11 +70,9 @@ pub fn check_sync_job_modify_access(
 
     if let Some(remote) = &job.remote {
         let remote_privs = user_info.lookup_privs(auth_id, &["remote", remote, &job.remote_store]);
-        remote_privs & PRIV_REMOTE_READ != 0
-    } else {
-        let source_ds_privs = user_info.lookup_privs(auth_id, &["datastore", &job.remote_store]);
-        source_ds_privs & PRIV_DATASTORE_READ != 0
+        return remote_privs & PRIV_REMOTE_READ != 0;
     }
+    true
 }
 
 #[api(
diff --git a/src/server/pull.rs b/src/server/pull.rs
index 1403c7a7..66ef333a 100644
--- a/src/server/pull.rs
+++ b/src/server/pull.rs
@@ -17,7 +17,7 @@ use serde_json::json;
 use pbs_api_types::{
     print_store_and_ns, Authid, BackupDir, BackupGroup, BackupNamespace, CryptMode, GroupFilter,
     GroupListItem, Operation, RateLimitConfig, Remote, SnapshotListItem, MAX_NAMESPACE_DEPTH,
-    PRIV_DATASTORE_AUDIT, PRIV_DATASTORE_BACKUP,
+    PRIV_DATASTORE_AUDIT, PRIV_DATASTORE_BACKUP, PRIV_DATASTORE_READ,
 };
 use pbs_client::{BackupReader, BackupRepository, HttpClient, RemoteChunkReader};
 use pbs_config::CachedUserInfo;
@@ -271,8 +271,8 @@ impl PullSource for LocalSource {
             &self.store,
             namespace.clone(),
             0,
-            None,
-            None,
+            Some(PRIV_DATASTORE_READ),
+            Some(PRIV_DATASTORE_BACKUP),
             Some(owner),
         )?
         .filter_map(Result::ok)
-- 
2.39.2





^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2023-11-28 16:38 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-11-28 14:16 [pbs-devel] [PATCH proxmox-backup 1/2] pull: fix permission checks for local syncs Hannes Laimer
2023-11-28 14:16 ` [pbs-devel] [PATCH proxmox-backup 2/2] ui: fix changing remote to local sync job Hannes Laimer
2023-11-28 14:40   ` Dominik Csapak
2023-11-28 14:39 ` [pbs-devel] [PATCH proxmox-backup 1/2] pull: fix permission checks for local syncs Dominik Csapak
2023-11-28 16:38 ` [pbs-devel] applied: " Thomas Lamprecht

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal