From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id A04421FF165 for ; Thu, 23 Oct 2025 11:30:59 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id BE4674C17; Thu, 23 Oct 2025 11:31:25 +0200 (CEST) Message-ID: <6ba2fbad-9058-4263-b98d-a1255234d7e9@proxmox.com> Date: Thu, 23 Oct 2025 11:31:22 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Beta To: Proxmox Datacenter Manager development discussion , Shannon Sterz References: <20251022131126.358790-1-s.sterz@proxmox.com> <20251022131126.358790-5-s.sterz@proxmox.com> Content-Language: en-US From: Dominik Csapak In-Reply-To: <20251022131126.358790-5-s.sterz@proxmox.com> X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1761211874516 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.026 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pdm-devel] [PATCH proxmox v2 4/4] access-control: allow reading all acls of the current authid X-BeenThere: pdm-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Datacenter Manager development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Datacenter Manager development discussion Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Errors-To: pdm-devel-bounces@lists.proxmox.com Sender: "pdm-devel" High level question: in proxmox-backup we already have a 'list_permissions' api call would that (or something like that) not be better suited for the purpose? (i don't know if it would be easy to refactor that api call here; probably not because it's pbs specific) since with this api call, we'd only have the 'raw' acl entries and must to calculate things like propagation, etc. on the frontend? Or am I wrong with that assumption? On 10/22/25 3:11 PM, Shannon Sterz wrote: > adds a parameter to the `API_METHOD_READ_ACL` endpoint to allow > listing all ACL entries of the currently authenticated Authid. > allowing a user to see their own ACLs does not really exposes any > additional confidential information. however, being able to query this > information allows us, for example, to adapt ui components to a users > capabilities. > > Signed-off-by: Shannon Sterz > --- > proxmox-access-control/src/api/acl.rs | 37 ++++++++++++++++++++++----- > 1 file changed, 31 insertions(+), 6 deletions(-) > > diff --git a/proxmox-access-control/src/api/acl.rs b/proxmox-access-control/src/api/acl.rs > index 0194d517..07222939 100644 > --- a/proxmox-access-control/src/api/acl.rs > +++ b/proxmox-access-control/src/api/acl.rs > @@ -23,6 +23,12 @@ use crate::CachedUserInfo; > optional: true, > default: false, > }, > + "exact-authid": { > + description: "Whether to return ACL entries for the exact current authid only.", > + type: bool, > + optional: true, > + default: false, > + } > }, > }, > returns: { > @@ -34,13 +40,17 @@ use crate::CachedUserInfo; > }, > access: { > permission: &Permission::Anybody, > - description: "Returns all ACLs if user has sufficient privileges on this endpoint, otherwise it is limited to the user's API tokens.", > + description: "Returns all ACLs if a user has sufficient privileges on this endpoint. \ > + Otherwise it is limited to the user's API tokens. However, if `exact-authid` is \ > + specified, all ACLs of the current Auhtid will be returned, whether the Authid has \ > + privileges to list other ACLs here or not.", > }, > )] > /// Get ACL entries, can be filter by path. > pub fn read_acl( > path: Option, > exact: bool, > + exact_authid: bool, > rpcenv: &mut dyn RpcEnvironment, > ) -> Result, Error> { > let auth_id = rpcenv > @@ -58,7 +68,11 @@ pub fn read_acl( > ) > .is_err(); > > - let filter = if filter_entries { Some(auth_id) } else { None }; > + let filter = if filter_entries || exact_authid { > + Some(auth_id) > + } else { > + None > + }; > > let (mut tree, digest) = crate::acl::config()?; > > @@ -74,7 +88,13 @@ pub fn read_acl( > > rpcenv["digest"] = hex::encode(digest).into(); > > - Ok(extract_acl_node_data(node, path.as_deref(), exact, &filter)) > + Ok(extract_acl_node_data( > + node, > + path.as_deref(), > + exact_authid, > + exact, > + &filter, > + )) > } > > #[api( > @@ -241,7 +261,8 @@ pub fn update_acl( > fn extract_acl_node_data( > node: &AclTreeNode, > path: Option<&str>, > - exact: bool, > + exact_authid: bool, > + exact_path: bool, > auth_id_filter: &Option, > ) -> Vec { > // tokens can't have tokens, so we can early return > @@ -259,7 +280,11 @@ fn extract_acl_node_data( > > for (user, roles) in &node.users { > if let Some(auth_id_filter) = auth_id_filter { > - if !user.is_token() || user.user() != auth_id_filter.user() { > + if exact_authid { > + if user != auth_id_filter { > + continue; > + } > + } else if !user.is_token() || user.user() != auth_id_filter.user() { > continue; > } > } > @@ -291,7 +316,7 @@ fn extract_acl_node_data( > } > } > > - if !exact { > + if !exact_path { > nodes.extend( > node.children > .iter() _______________________________________________ pdm-devel mailing list pdm-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel