all lists on lists.proxmox.com
 help / color / mirror / Atom feed
* [pve-devel] [PATCH manager] tasks: allow API tokens to query their own UPIDs
@ 2020-09-23  8:38 Fabian Grünbichler
  2020-09-23  8:38 ` [pve-devel] [PATCH proxmox-widget-toolkit] tasks: include API token ID if available Fabian Grünbichler
  2020-09-25  5:42 ` [pve-devel] applied: [PATCH manager] tasks: allow API tokens to query their own UPIDs Thomas Lamprecht
  0 siblings, 2 replies; 4+ messages in thread
From: Fabian Grünbichler @ 2020-09-23  8:38 UTC (permalink / raw)
  To: pve-devel

and regular users to read all their own tasks as well as those of their
associated tokens.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 PVE/API2/Tasks.pm | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/PVE/API2/Tasks.pm b/PVE/API2/Tasks.pm
index 5dc6a4ad..8f6ab603 100644
--- a/PVE/API2/Tasks.pm
+++ b/PVE/API2/Tasks.pm
@@ -24,6 +24,18 @@ my $convert_token_task = sub {
     }
 };
 
+my $check_task_user = sub {
+    my ($task, $user) = @_;
+
+    if ($task->{tokenid}) {
+	my $fulltoken = PVE::AccessControl::join_tokenid($task->{user}, $task->{tokenid});
+	# token only sees token tasks, user sees user + token tasks
+	return $user eq $fulltoken || $user eq $task->{user};
+    } else {
+	return $user eq $task->{user};
+    }
+};
+
 __PACKAGE__->register_method({
     name => 'node_tasks',
     path => '',
@@ -126,7 +138,7 @@ __PACKAGE__->register_method({
 	    my $task = shift;
 
 	    return 1 if $userfilter && $task->{user} !~ m/\Q$userfilter\E/i;
-	    return 1 if !($auditor || $user eq $task->{user});
+	    return 1 if !($auditor || $check_task_user->($task, $user));
 
 	    return 1 if $typefilter && $task->{type} ne $typefilter;
 
@@ -253,7 +265,7 @@ __PACKAGE__->register_method({
 
 	$convert_token_task->($task);
 
-	if ($user ne $task->{user}) {
+	if (!$check_task_user->($task, $user)) {
 	    $rpcenv->check($user, "/nodes/$node", [ 'Sys.Modify' ]);
 	}
 
@@ -322,7 +334,7 @@ __PACKAGE__->register_method({
 
 	$convert_token_task->($task);
 
-	if ($user ne $task->{user})  {
+	if (!$check_task_user->($task, $user)) {
 	    $rpcenv->check($user, "/nodes/$node", [ 'Sys.Audit' ]);
 	}
 
@@ -380,7 +392,7 @@ __PACKAGE__->register_method({
 
 	$convert_token_task->($task);
 
-	if ($user ne $task->{user}) {
+	if (!$check_task_user->($task, $user)) {
 	    $rpcenv->check($user, "/nodes/$node", [ 'Sys.Audit' ]);
 	}
 
-- 
2.20.1





^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-09-25  5:44 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-23  8:38 [pve-devel] [PATCH manager] tasks: allow API tokens to query their own UPIDs Fabian Grünbichler
2020-09-23  8:38 ` [pve-devel] [PATCH proxmox-widget-toolkit] tasks: include API token ID if available Fabian Grünbichler
2020-09-25  5:44   ` [pve-devel] applied: " Thomas Lamprecht
2020-09-25  5:42 ` [pve-devel] applied: [PATCH manager] tasks: allow API tokens to query their own UPIDs Thomas Lamprecht

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal