* [pve-devel] [PATCH pve-manager] api: notification targets: fix permission check for POST/PUT
@ 2024-11-29 8:59 Lukas Wagner
2024-11-29 10:46 ` [pve-devel] applied: " Thomas Lamprecht
0 siblings, 1 reply; 2+ messages in thread
From: Lukas Wagner @ 2024-11-29 8:59 UTC (permalink / raw)
To: pve-devel
This fixes the error:
unknown permission test at /usr/share/perl5/PVE/RPCEnvironment.pm line 536. (500)
which occured when trying to create or update a notification target.
The cause was a permission 'check' parameter for the API handlers which was nested
one level too deep by accident.
This regression was introduced in a previous commit which raised the
needed permissions for notification target management. It likely went
unnoticed because the permission check is skipped for root@pam, so
the error occurs only if using another user.
Reported in the community forum:
https://forum.proxmox.com/threads/158101
Fixes: a3fe9c54 ("api: notifications: require powerful privileges for target management")
Signed-off-by: Lukas Wagner <l.wagner@proxmox.com>
---
PVE/API2/Cluster/Notifications.pm | 96 +++++++++++++------------------
1 file changed, 40 insertions(+), 56 deletions(-)
diff --git a/PVE/API2/Cluster/Notifications.pm b/PVE/API2/Cluster/Notifications.pm
index 50ee5662..a61ab839 100644
--- a/PVE/API2/Cluster/Notifications.pm
+++ b/PVE/API2/Cluster/Notifications.pm
@@ -500,13 +500,11 @@ __PACKAGE__->register_method ({
method => 'POST',
description => 'Create a new sendmail endpoint',
permissions => {
- check => [
- ['and',
- ['perm', '/mapping/notifications', ['Mapping.Modify']],
- ['or',
- ['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
- ['perm', '/', [ 'Sys.AccessNetwork' ]],
- ],
+ check => ['and',
+ ['perm', '/mapping/notifications', ['Mapping.Modify']],
+ ['or',
+ ['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
+ ['perm', '/', [ 'Sys.AccessNetwork' ]],
],
],
},
@@ -556,13 +554,11 @@ __PACKAGE__->register_method ({
method => 'PUT',
description => 'Update existing sendmail endpoint',
permissions => {
- check => [
- ['and',
- ['perm', '/mapping/notifications', ['Mapping.Modify']],
- ['or',
- ['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
- ['perm', '/', [ 'Sys.AccessNetwork' ]],
- ],
+ check => ['and',
+ ['perm', '/mapping/notifications', ['Mapping.Modify']],
+ ['or',
+ ['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
+ ['perm', '/', [ 'Sys.AccessNetwork' ]],
],
],
},
@@ -780,13 +776,11 @@ __PACKAGE__->register_method ({
method => 'POST',
description => 'Create a new gotify endpoint',
permissions => {
- check => [
- ['and',
- ['perm', '/mapping/notifications', ['Mapping.Modify']],
- ['or',
- ['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
- ['perm', '/', [ 'Sys.AccessNetwork' ]],
- ],
+ check => ['and',
+ ['perm', '/mapping/notifications', ['Mapping.Modify']],
+ ['or',
+ ['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
+ ['perm', '/', [ 'Sys.AccessNetwork' ]],
],
],
},
@@ -832,13 +826,11 @@ __PACKAGE__->register_method ({
method => 'PUT',
description => 'Update existing gotify endpoint',
permissions => {
- check => [
- ['and',
- ['perm', '/mapping/notifications', ['Mapping.Modify']],
- ['or',
- ['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
- ['perm', '/', [ 'Sys.AccessNetwork' ]],
- ],
+ check => ['and',
+ ['perm', '/mapping/notifications', ['Mapping.Modify']],
+ ['or',
+ ['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
+ ['perm', '/', [ 'Sys.AccessNetwork' ]],
],
],
},
@@ -1099,13 +1091,11 @@ __PACKAGE__->register_method ({
method => 'POST',
description => 'Create a new smtp endpoint',
permissions => {
- check => [
- ['and',
- ['perm', '/mapping/notifications', ['Mapping.Modify']],
- ['or',
- ['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
- ['perm', '/', [ 'Sys.AccessNetwork' ]],
- ],
+ check => ['and',
+ ['perm', '/mapping/notifications', ['Mapping.Modify']],
+ ['or',
+ ['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
+ ['perm', '/', [ 'Sys.AccessNetwork' ]],
],
],
},
@@ -1165,13 +1155,11 @@ __PACKAGE__->register_method ({
method => 'PUT',
description => 'Update existing smtp endpoint',
permissions => {
- check => [
- ['and',
- ['perm', '/mapping/notifications', ['Mapping.Modify']],
- ['or',
- ['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
- ['perm', '/', [ 'Sys.AccessNetwork' ]],
- ],
+ check => ['and',
+ ['perm', '/mapping/notifications', ['Mapping.Modify']],
+ ['or',
+ ['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
+ ['perm', '/', [ 'Sys.AccessNetwork' ]],
],
],
},
@@ -1423,13 +1411,11 @@ __PACKAGE__->register_method ({
method => 'POST',
description => 'Create a new webhook endpoint',
permissions => {
- check => [
- ['and',
- ['perm', '/mapping/notifications', ['Mapping.Modify']],
- ['or',
- ['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
- ['perm', '/', [ 'Sys.AccessNetwork' ]],
- ],
+ check => ['and',
+ ['perm', '/mapping/notifications', ['Mapping.Modify']],
+ ['or',
+ ['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
+ ['perm', '/', [ 'Sys.AccessNetwork' ]],
],
],
},
@@ -1464,13 +1450,11 @@ __PACKAGE__->register_method ({
method => 'PUT',
description => 'Update existing webhook endpoint',
permissions => {
- check => [
- ['and',
- ['perm', '/mapping/notifications', ['Mapping.Modify']],
- ['or',
- ['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
- ['perm', '/', [ 'Sys.AccessNetwork' ]],
- ],
+ check => ['and',
+ ['perm', '/mapping/notifications', ['Mapping.Modify']],
+ ['or',
+ ['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
+ ['perm', '/', [ 'Sys.AccessNetwork' ]],
],
],
},
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
* [pve-devel] applied: [PATCH pve-manager] api: notification targets: fix permission check for POST/PUT
2024-11-29 8:59 [pve-devel] [PATCH pve-manager] api: notification targets: fix permission check for POST/PUT Lukas Wagner
@ 2024-11-29 10:46 ` Thomas Lamprecht
0 siblings, 0 replies; 2+ messages in thread
From: Thomas Lamprecht @ 2024-11-29 10:46 UTC (permalink / raw)
To: Proxmox VE development discussion, Lukas Wagner
Am 29.11.24 um 09:59 schrieb Lukas Wagner:
> This fixes the error:
> unknown permission test at /usr/share/perl5/PVE/RPCEnvironment.pm line 536. (500)
> which occured when trying to create or update a notification target.
>
> The cause was a permission 'check' parameter for the API handlers which was nested
> one level too deep by accident.
>
> This regression was introduced in a previous commit which raised the
> needed permissions for notification target management. It likely went
> unnoticed because the permission check is skipped for root@pam, so
> the error occurs only if using another user.
>
> Reported in the community forum:
> https://forum.proxmox.com/threads/158101
>
> Fixes: a3fe9c54 ("api: notifications: require powerful privileges for target management")
> Signed-off-by: Lukas Wagner <l.wagner@proxmox.com>
> ---
> PVE/API2/Cluster/Notifications.pm | 96 +++++++++++++------------------
> 1 file changed, 40 insertions(+), 56 deletions(-)
>
>
applied, thanks!
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-11-29 10:46 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-11-29 8:59 [pve-devel] [PATCH pve-manager] api: notification targets: fix permission check for POST/PUT Lukas Wagner
2024-11-29 10:46 ` [pve-devel] applied: " Thomas Lamprecht
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal