From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 11A2479D5F for ; Thu, 6 May 2021 08:02:24 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 001741B97F for ; Thu, 6 May 2021 08:01:53 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 8FB751B96F for ; Thu, 6 May 2021 08:01:52 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 5D5654265B for ; Thu, 6 May 2021 08:01:52 +0200 (CEST) To: Proxmox Backup Server development discussion , Dominik Csapak References: <20210505100918.506-1-d.csapak@proxmox.com> <20210505100918.506-4-d.csapak@proxmox.com> From: Dietmar Maurer Message-ID: <10153350-a667-e363-09c3-3988827f1e93@proxmox.com> Date: Thu, 6 May 2021 08:01:51 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.10.0 MIME-Version: 1.0 In-Reply-To: <20210505100918.506-4-d.csapak@proxmox.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-SPAM-LEVEL: Spam detection results: 0 AWL 0.097 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment POISEN_SPAM_PILL 0.1 Meta: its spam POISEN_SPAM_PILL_1 0.1 random spam to be learned in bayes POISEN_SPAM_PILL_3 0.1 random spam to be learned in bayes SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [restore.rs] Subject: [pbs-devel] applied: [PATCH proxmox-backup v2 3/8] api2/tape/restore: factor out check_datastore_privs X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 May 2021 06:02:24 -0000 applied On 5/5/21 12:09 PM, Dominik Csapak wrote: > so that we can reuse it > > Signed-off-by: Dominik Csapak > --- > src/api2/tape/restore.rs | 39 +++++++++++++++++++++++++-------------- > 1 file changed, 25 insertions(+), 14 deletions(-) > > diff --git a/src/api2/tape/restore.rs b/src/api2/tape/restore.rs > index 1dd6ba11..b7bf6670 100644 > --- a/src/api2/tape/restore.rs > +++ b/src/api2/tape/restore.rs > @@ -157,6 +157,30 @@ impl DataStoreMap { > } > } > > +fn check_datastore_privs( > + user_info: &CachedUserInfo, > + store: &str, > + auth_id: &Authid, > + owner: &Option, > +) -> Result<(), Error> { > + let privs = user_info.lookup_privs(&auth_id, &["datastore", &store]); > + if (privs & PRIV_DATASTORE_BACKUP) == 0 { > + bail!("no permissions on /datastore/{}", store); > + } > + > + if let Some(ref owner) = owner { > + let correct_owner = owner == auth_id > + || (owner.is_token() && !auth_id.is_token() && owner.user() == auth_id.user()); > + > + // same permission as changing ownership after syncing > + if !correct_owner && privs & PRIV_DATASTORE_MODIFY == 0 { > + bail!("no permission to restore as '{}'", owner); > + } > + } > + > + Ok(()) > +} > + > pub const ROUTER: Router = Router::new().post(&API_METHOD_RESTORE); > > #[api( > @@ -212,20 +236,7 @@ pub fn restore( > } > > for store in used_datastores.iter() { > - let privs = user_info.lookup_privs(&auth_id, &["datastore", &store]); > - if (privs & PRIV_DATASTORE_BACKUP) == 0 { > - bail!("no permissions on /datastore/{}", store); > - } > - > - if let Some(ref owner) = owner { > - let correct_owner = owner == &auth_id > - || (owner.is_token() && !auth_id.is_token() && owner.user() == auth_id.user()); > - > - // same permission as changing ownership after syncing > - if !correct_owner && privs & PRIV_DATASTORE_MODIFY == 0 { > - bail!("no permission to restore as '{}'", owner); > - } > - } > + check_datastore_privs(&user_info, &store, &auth_id, &owner)?; > } > > let privs = user_info.lookup_privs(&auth_id, &["tape", "drive", &drive]);