Re: [pve-devel] [PATCH manager] ui: qemu: hardware view: fix hwrng cap check for unprivileged users

From: Stefan Hanreich <s.hanreich@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
	Friedrich Weber <f.weber@proxmox.com>
Subject: Re: [pve-devel] [PATCH manager] ui: qemu: hardware view: fix hwrng cap check for unprivileged users
Date: Tue, 8 Apr 2025 18:51:30 +0200	[thread overview]
Message-ID: <5dd6168c-41c5-40e8-a9c8-209ca53fbf08@proxmox.com> (raw)
In-Reply-To: <20250408163856.116576-1-f.weber@proxmox.com>

Created a user with only PVEVMUser privileges and navigated to the
hardware tab of a VM. Could reproduce the issue with the exact same
error message in the JS console.

Applied the patch and reloaded, navigating to the HW tab now worked, so
consider this:

Tested-by: Stefan Hanreich <s.hanreich@proxmox.com>

On 4/8/25 18:38, Friedrich Weber wrote:
> Currently, as an unprivileged user with role PVEVMUser the GUI breaks
> with an error after navigating to a VM's hardware tab. The reason is
> that the frontend checks the GUI capabilites via `caps.mapping.hwrng`,
> but `caps.mapping` does not actually have a property called `hwrng`.
> 
> The reason this does not trigger for more privileged users is that all
> expressions involving `caps.mapping.hwrng` are short-circuited if the
> user has privilege `VM.Config.Type`, so `caps.mapping.hwrng` is never
> evaluated.
> 
> Fixes: a47a8afb ("ui: let non-root users configure VirtIO RNG devices")
> Signed-off-by: Friedrich Weber <f.weber@proxmox.com>
> ---
> 
> Notes:
>     I wasn't actually sure whether `caps` may have such a 2-level structure
>     in some cases, but it doesn't seem like it. After applying this patch
>     to pve-manager:
>     
>       % ag 'caps\.[^\[.]+\.'  | wc -l
>       0
> 
>  www/manager6/qemu/HardwareView.js | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/www/manager6/qemu/HardwareView.js b/www/manager6/qemu/HardwareView.js
> index 4ce9908c..b949264f 100644
> --- a/www/manager6/qemu/HardwareView.js
> +++ b/www/manager6/qemu/HardwareView.js
> @@ -316,8 +316,8 @@ Ext.define('PVE.qemu.HardwareView', {
>  	rows.rng0 = {
>  	    group: 45,
>  	    tdCls: 'pve-itype-icon-die',
> -	    editor: caps.vms['VM.Config.HWType'] || caps.mapping.hwrng['Mapping.Use'] ? 'PVE.qemu.RNGEdit' : undefined,
> -	    never_delete: !caps.vms['VM.Config.HWType'] && !caps.mapping.hwrng['Mapping.Use'],
> +	    editor: caps.vms['VM.Config.HWType'] || caps.mapping['Mapping.Use'] ? 'PVE.qemu.RNGEdit' : undefined,
> +	    never_delete: !caps.vms['VM.Config.HWType'] && !caps.mapping['Mapping.Use'],
>  	    header: gettext("VirtIO RNG"),
>  	};
>  	for (let i = 0; i < PVE.Utils.hardware_counts.virtiofs; i++) {
> @@ -757,7 +757,7 @@ Ext.define('PVE.qemu.HardwareView', {
>  				text: gettext("VirtIO RNG"),
>  				itemId: 'addRng',
>  				iconCls: 'pve-itype-icon-die',
> -				disabled: !caps.vms['VM.Config.HWType'] && !caps.mapping.hwrng['Mapping.Use'],
> +				disabled: !caps.vms['VM.Config.HWType'] && !caps.mapping['Mapping.Use'],
>  				handler: editorFactory('RNGEdit'),
>  			    },
>  			    {

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel