From: "Shannon Sterz" <s.sterz@proxmox.com>
To: "Shan Shaji" <s.shaji@proxmox.com>
Cc: Proxmox Datacenter Manager development discussion
<pdm-devel@lists.proxmox.com>
Subject: Re: [pdm-devel] [PATCH datacenter-manager 2/2] fix #6901: api: remove `node` reference from templated privilege path
Date: Mon, 13 Oct 2025 10:41:39 +0200 [thread overview]
Message-ID: <DDH26QTIY3JJ.Y0I7EEY98UR5@proxmox.com> (raw)
In-Reply-To: <20251010151803.257519-3-s.shaji@proxmox.com>
On Fri Oct 10, 2025 at 5:18 PM CEST, Shan Shaji wrote:
> If a non root user tried to view the overview of a PBS, it was
> showing "403: permission check failed" error. This occured because the
> privilege path included the "node" object which is neither accepted
> as a parameter in the endpoint nor passed from the UI.
>
> To fix the issue removed the "node" reference. Now if the user has
> atleast the `Resource.Audit` permission, they can view PBS status under
> the overview panel.
>
> Signed-off-by: Shan Shaji <s.shaji@proxmox.com>
> ---
> server/src/api/pbs/mod.rs | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/server/src/api/pbs/mod.rs b/server/src/api/pbs/mod.rs
> index dc31f62..65a2e43 100644
> --- a/server/src/api/pbs/mod.rs
> +++ b/server/src/api/pbs/mod.rs
> @@ -272,7 +272,8 @@ pub async fn scan_remote_pbs(
> },
> },
> access: {
> - permission: &Permission::Privilege(&["resource", "{remote}", "node", "{node}"], PRIV_RESOURCE_AUDIT, false),
> + permission: &Permission::Privilege(&["resource", "{remote}"], PRIV_RESOURCE_AUDIT, false),
> + description: "The user needs to have atleast `Resource.Audit` privilege under `/resource`."
nit: same as previous patch, should be:
The user needs to have at least the `Resource.Audit` privilege on `/resource/{remote}/node/{node}`.
> },
> )]
> /// Get status for the PBS remote
other than this and the comments on the previous patch
Reviewed-by: Shannon Sterz <s.sterz@proxmox.com>
_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel
prev parent reply other threads:[~2025-10-13 8:41 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-10 15:18 [pdm-devel] [PATCH datacenter-manager 0/2] fix #6901: add explicit permissions for PBS status and RRD endpoints Shan Shaji
2025-10-10 15:18 ` [pdm-devel] [PATCH datacenter-manager 1/2] fix #6901: api: add permission checks for PBS rrd endpoints Shan Shaji
2025-10-13 8:41 ` Shannon Sterz
2025-10-14 7:59 ` Shan Shaji
2025-10-14 8:59 ` Shan Shaji
2025-10-10 15:18 ` [pdm-devel] [PATCH datacenter-manager 2/2] fix #6901: api: remove `node` reference from templated privilege path Shan Shaji
2025-10-13 8:41 ` Shannon Sterz [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DDH26QTIY3JJ.Y0I7EEY98UR5@proxmox.com \
--to=s.sterz@proxmox.com \
--cc=pdm-devel@lists.proxmox.com \
--cc=s.shaji@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.