From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <f.ebner@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 0CE4D99209
 for <pve-devel@lists.proxmox.com>; Tue, 10 Oct 2023 14:10:52 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id DAF6132933
 for <pve-devel@lists.proxmox.com>; Tue, 10 Oct 2023 14:10:21 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS
 for <pve-devel@lists.proxmox.com>; Tue, 10 Oct 2023 14:10:20 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 7A888449A4
 for <pve-devel@lists.proxmox.com>; Tue, 10 Oct 2023 14:10:20 +0200 (CEST)
Message-ID: <59c6e639-1bcd-250d-f53f-3fc55b7f51b6@proxmox.com>
Date: Tue, 10 Oct 2023 14:10:19 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.15.1
Content-Language: en-US
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
 Lukas Wagner <l.wagner@proxmox.com>
References: <20230726134145.700213-1-l.wagner@proxmox.com>
From: Fiona Ebner <f.ebner@proxmox.com>
In-Reply-To: <20230726134145.700213-1-l.wagner@proxmox.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL 1.536 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 NICE_REPLY_A           -3.339 Looks like a legit reply (A)
 POISEN_SPAM_PILL_3        0.1 random spam to be learned in bayes
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: Re: [pve-devel] [PATCH manager] ui: acl add: show warning if
 root@pam is selected
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Tue, 10 Oct 2023 12:10:52 -0000

Am 26.07.23 um 15:41 schrieb Lukas Wagner:
> Currently, users are able to add ACL entries for the root@pam user.
> Since this user always has full permissions, no entry in the ACL
> tree will be saved, and consequently no new entry shows up in the UI
> after pressing 'Add' in the dialog. This can be irritating if the
> user does not know about this 'implementation detail'.
> 

Should we filter out the root@pam user from the selection dropdown
altogether? Or maybe disable the Add button when root@pam is selected
(and reword the warning appropriately)?

> This commit adds a little warning that pops up if root@pam is
> selected:
> 
>   'root@pam always has full permissions. No entry will be added.'
> 
> The same problem also exists for API token permissions. Here it is
> not really easy to add the warning though, since we do not know if
> the token has separated privileges enable or not.
> 

It seems we do have that information available as a result of the
/access/users?full=1 API call, or?

> Signed-off-by: Lukas Wagner <l.wagner@proxmox.com>
> ---
>  www/manager6/dc/ACLView.js | 14 ++++++++++++++
>  1 file changed, 14 insertions(+)
> 
> diff --git a/www/manager6/dc/ACLView.js b/www/manager6/dc/ACLView.js
> index 79f900cd..ec81a487 100644
> --- a/www/manager6/dc/ACLView.js
> +++ b/www/manager6/dc/ACLView.js
> @@ -35,6 +35,20 @@ Ext.define('PVE.dc.ACLAdd', {
>  		xtype: 'pmxUserSelector',
>  		name: 'users',
>  		fieldLabel: gettext('User'),
> +		listeners: {
> +		    change: function(field, newVal) {
> +			this.nextSibling('displayfield[reference=root-selected-warning]')
> +			    .setVisible(newVal === 'root@pam');
> +		    }

eslint complains about a missing trailing comma here

> +		},
> +	    });
> +	    items.push({
> +		    xtype: 'displayfield',
> +		    reference: 'root-selected-warning',
> +		    userCls: 'pmx-hint',
> +		    hidden: true,
> +		    value: '\'root@pam\' ' +
> +			gettext('always has full permissions. No entry will be added.'),
>  	    });
>  	} else if (me.aclType === 'token') {
>  	    me.subject = gettext("API Token Permission");