From: Fiona Ebner <f.ebner@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
Lukas Wagner <l.wagner@proxmox.com>
Subject: Re: [pve-devel] [PATCH manager] ui: acl add: show warning if root@pam is selected
Date: Tue, 10 Oct 2023 14:10:19 +0200 [thread overview]
Message-ID: <59c6e639-1bcd-250d-f53f-3fc55b7f51b6@proxmox.com> (raw)
In-Reply-To: <20230726134145.700213-1-l.wagner@proxmox.com>
Am 26.07.23 um 15:41 schrieb Lukas Wagner:
> Currently, users are able to add ACL entries for the root@pam user.
> Since this user always has full permissions, no entry in the ACL
> tree will be saved, and consequently no new entry shows up in the UI
> after pressing 'Add' in the dialog. This can be irritating if the
> user does not know about this 'implementation detail'.
>
Should we filter out the root@pam user from the selection dropdown
altogether? Or maybe disable the Add button when root@pam is selected
(and reword the warning appropriately)?
> This commit adds a little warning that pops up if root@pam is
> selected:
>
> 'root@pam always has full permissions. No entry will be added.'
>
> The same problem also exists for API token permissions. Here it is
> not really easy to add the warning though, since we do not know if
> the token has separated privileges enable or not.
>
It seems we do have that information available as a result of the
/access/users?full=1 API call, or?
> Signed-off-by: Lukas Wagner <l.wagner@proxmox.com>
> ---
> www/manager6/dc/ACLView.js | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
>
> diff --git a/www/manager6/dc/ACLView.js b/www/manager6/dc/ACLView.js
> index 79f900cd..ec81a487 100644
> --- a/www/manager6/dc/ACLView.js
> +++ b/www/manager6/dc/ACLView.js
> @@ -35,6 +35,20 @@ Ext.define('PVE.dc.ACLAdd', {
> xtype: 'pmxUserSelector',
> name: 'users',
> fieldLabel: gettext('User'),
> + listeners: {
> + change: function(field, newVal) {
> + this.nextSibling('displayfield[reference=root-selected-warning]')
> + .setVisible(newVal === 'root@pam');
> + }
eslint complains about a missing trailing comma here
> + },
> + });
> + items.push({
> + xtype: 'displayfield',
> + reference: 'root-selected-warning',
> + userCls: 'pmx-hint',
> + hidden: true,
> + value: '\'root@pam\' ' +
> + gettext('always has full permissions. No entry will be added.'),
> });
> } else if (me.aclType === 'token') {
> me.subject = gettext("API Token Permission");
next prev parent reply other threads:[~2023-10-10 12:10 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-26 13:41 Lukas Wagner
2023-10-10 12:10 ` Fiona Ebner [this message]
2023-10-10 12:40 ` Lukas Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=59c6e639-1bcd-250d-f53f-3fc55b7f51b6@proxmox.com \
--to=f.ebner@proxmox.com \
--cc=l.wagner@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal