From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 94CC21FF166 for ; Fri, 25 Oct 2024 12:17:05 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 278491D8EA; Fri, 25 Oct 2024 12:17:06 +0200 (CEST) Date: Fri, 25 Oct 2024 12:16:29 +0200 From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= To: Proxmox Backup Server development discussion References: <20241018084242.144010-1-c.ebner@proxmox.com> <20241018084242.144010-16-c.ebner@proxmox.com> In-Reply-To: <20241018084242.144010-16-c.ebner@proxmox.com> MIME-Version: 1.0 User-Agent: astroid/0.16.0 (https://github.com/astroidmail/astroid) Message-Id: <1729851363.p563hjo8e3.astroid@yuna.none> X-SPAM-LEVEL: Spam detection results: 0 AWL 0.049 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pbs-devel] [PATCH v5 proxmox-backup 15/31] api: config: factor out sync job owner check X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" On October 18, 2024 10:42 am, Christian Ebner wrote: > Move the sync job owner check to its own helper function, for it to > be reused for the owner check for sync jobs in push direction. > > No functional change intended. > > Signed-off-by: Christian Ebner > --- > changes since version 4: > - no changes > > changes since version 3: > - not present in previous version > > src/api2/config/sync.rs | 22 ++++++++++++---------- > 1 file changed, 12 insertions(+), 10 deletions(-) > > diff --git a/src/api2/config/sync.rs b/src/api2/config/sync.rs > index ad6ba0c85..aed46aeb0 100644 > --- a/src/api2/config/sync.rs > +++ b/src/api2/config/sync.rs > @@ -35,6 +35,17 @@ pub fn check_sync_job_read_access( > } > } > > +fn is_correct_owner(auth_id: &Authid, job: &SyncJobConfig) -> bool { > + match job.owner { > + Some(ref owner) => { > + owner == auth_id > + || (owner.is_token() && !auth_id.is_token() && owner.user() == auth_id.user()) nit: this part here is pbs_datastore::datastore::check_backup_owner(owner, authid).is_ok() > + } > + // default sync owner > + None => auth_id == Authid::root_auth_id(), > + } > +} > + > /// checks whether user can run the corresponding pull job > /// > /// namespace creation/deletion ACL and backup group ownership checks happen in the pull code directly. > @@ -55,17 +66,8 @@ pub fn check_sync_job_modify_access( > } > } > > - let correct_owner = match job.owner { > - Some(ref owner) => { > - owner == auth_id > - || (owner.is_token() && !auth_id.is_token() && owner.user() == auth_id.user()) > - } > - // default sync owner > - None => auth_id == Authid::root_auth_id(), > - }; > - > // same permission as changing ownership after syncing > - if !correct_owner && ns_anchor_privs & PRIV_DATASTORE_MODIFY == 0 { > + if !is_correct_owner(auth_id, job) && ns_anchor_privs & PRIV_DATASTORE_MODIFY == 0 { > return false; > } > > -- > 2.39.5 > > > > _______________________________________________ > pbs-devel mailing list > pbs-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel > > > _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel