From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [RFC proxmox-backup 13/15] tasks: allow unpriv users to read their tokens' tasks
Date: Mon, 19 Oct 2020 09:39:17 +0200 [thread overview]
Message-ID: <20201019073919.588521-14-f.gruenbichler@proxmox.com> (raw)
In-Reply-To: <20201019073919.588521-1-f.gruenbichler@proxmox.com>
and tighten down the return schema while we're at it.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
src/api2/node/tasks.rs | 26 ++++++++++++++------------
1 file changed, 14 insertions(+), 12 deletions(-)
diff --git a/src/api2/node/tasks.rs b/src/api2/node/tasks.rs
index b86eaec7..379ec6fc 100644
--- a/src/api2/node/tasks.rs
+++ b/src/api2/node/tasks.rs
@@ -14,6 +14,14 @@ use crate::server::{self, UPID, TaskState, TaskListInfoIterator};
use crate::config::acl::{PRIV_SYS_AUDIT, PRIV_SYS_MODIFY};
use crate::config::cached_user_info::CachedUserInfo;
+fn check_task_access(auth_user: &Userid, task_user: &Userid) -> Result<(), Error> {
+ if auth_user == task_user || (task_user.is_tokenid() && &task_user.owner().unwrap() == auth_user) {
+ Ok(())
+ } else {
+ let user_info = CachedUserInfo::new()?;
+ user_info.check_privs(auth_user, &["system", "tasks"], PRIV_SYS_AUDIT, false)
+ }
+}
#[api(
input: {
@@ -57,7 +65,7 @@ use crate::config::cached_user_info::CachedUserInfo;
description: "Worker ID (arbitrary ASCII string)",
},
user: {
- type: String,
+ schema: PROXMOX_USER_OR_TOKEN_ID_SCHEMA,
description: "The user who started the task.",
},
status: {
@@ -85,11 +93,7 @@ async fn get_task_status(
let upid = extract_upid(¶m)?;
let userid: Userid = rpcenv.get_user().unwrap().parse()?;
-
- if userid != upid.userid {
- let user_info = CachedUserInfo::new()?;
- user_info.check_privs(&userid, &["system", "tasks"], PRIV_SYS_AUDIT, false)?;
- }
+ check_task_access(&userid, &upid.userid)?;
let mut result = json!({
"upid": param["upid"],
@@ -162,11 +166,7 @@ async fn read_task_log(
let upid = extract_upid(¶m)?;
let userid: Userid = rpcenv.get_user().unwrap().parse()?;
-
- if userid != upid.userid {
- let user_info = CachedUserInfo::new()?;
- user_info.check_privs(&userid, &["system", "tasks"], PRIV_SYS_AUDIT, false)?;
- }
+ check_task_access(&userid, &upid.userid)?;
let test_status = param["test-status"].as_bool().unwrap_or(false);
@@ -326,7 +326,9 @@ pub fn list_tasks(
Err(_) => return None,
};
- if !list_all && info.upid.userid != userid { return None; }
+ if !list_all && check_task_access(&userid, &info.upid.userid).is_err() {
+ return None;
+ }
if let Some(userid) = &userfilter {
if !info.upid.userid.as_str().contains(userid) { return None; }
--
2.20.1
next prev parent reply other threads:[~2020-10-19 7:40 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-19 7:39 [pbs-devel] [RFC proxmox-backup 00/15] API tokens Fabian Grünbichler
2020-10-19 7:39 ` [pbs-devel] [PATCH proxmox-backup 01/15] fix indentation Fabian Grünbichler
2020-10-19 12:00 ` [pbs-devel] applied: " Thomas Lamprecht
2020-10-19 7:39 ` [pbs-devel] [PATCH proxmox-backup 02/15] fix typos Fabian Grünbichler
2020-10-19 12:01 ` [pbs-devel] applied: " Thomas Lamprecht
2020-10-19 7:39 ` [pbs-devel] [PATCH proxmox-backup 03/15] REST: rename token to csrf_token Fabian Grünbichler
2020-10-19 12:02 ` [pbs-devel] applied: " Thomas Lamprecht
2020-10-19 7:39 ` [pbs-devel] [RFC proxmox-backup 04/15] Userid: extend schema with token name Fabian Grünbichler
2020-10-19 7:39 ` [pbs-devel] [RFC proxmox-backup 05/15] add ApiToken to user.cfg and CachedUserInfo Fabian Grünbichler
2020-10-19 7:39 ` [pbs-devel] [RFC proxmox-backup 06/15] config: add token.shadow file Fabian Grünbichler
2020-10-19 7:39 ` [pbs-devel] [RFC proxmox-backup 07/15] REST: extract and handle API tokens Fabian Grünbichler
2020-10-20 8:34 ` Wolfgang Bumiller
2020-10-19 7:39 ` [pbs-devel] [RFC proxmox-backup 08/15] api: add API token endpoints Fabian Grünbichler
2020-10-20 9:42 ` Wolfgang Bumiller
2020-10-20 10:15 ` Wolfgang Bumiller
2020-10-19 7:39 ` [pbs-devel] [RFC proxmox-backup 09/15] api: allow listing users + tokens Fabian Grünbichler
2020-10-20 10:10 ` Wolfgang Bumiller
2020-10-19 7:39 ` [pbs-devel] [RFC proxmox-backup 10/15] api: add permissions endpoint Fabian Grünbichler
2020-10-19 7:39 ` [pbs-devel] [RFC proxmox-backup 11/15] client: allow using ApiToken + secret Fabian Grünbichler
2020-10-19 7:39 ` [pbs-devel] [RFC proxmox-backup 12/15] owner checks: handle backups owned by API tokens Fabian Grünbichler
2020-10-19 7:39 ` Fabian Grünbichler [this message]
2020-10-19 7:39 ` [pbs-devel] [RFC proxmox-backup 14/15] manager: add token commands Fabian Grünbichler
2020-10-19 7:39 ` [pbs-devel] [RFC proxmox-backup 15/15] manager: add user permissions command Fabian Grünbichler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201019073919.588521-14-f.gruenbichler@proxmox.com \
--to=f.gruenbichler@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox