From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 2393164912 for ; Wed, 30 Dec 2020 12:21:54 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 17172209DB for ; Wed, 30 Dec 2020 12:21:24 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [212.186.127.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id F0F9B209CF for ; Wed, 30 Dec 2020 12:21:22 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id B9D2C446A6 for ; Wed, 30 Dec 2020 12:21:22 +0100 (CET) From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= To: pbs-devel@lists.proxmox.com Date: Wed, 30 Dec 2020 12:21:14 +0100 Message-Id: <20201230112114.424764-2-f.gruenbichler@proxmox.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20201230112114.424764-1-f.gruenbichler@proxmox.com> References: <20201230112114.424764-1-f.gruenbichler@proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.024 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pbs-devel] [PATCH proxmox-backup 2/2] api: allow tokens to list users X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Dec 2020 11:21:54 -0000 their owner, or all if they have the appropriate privileges. Signed-off-by: Fabian Grünbichler --- Notes: this seems benign enough. an otherwise unprivileged API token can still not list any tokens, but that would require more changes.. src/api2/access/user.rs | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/src/api2/access/user.rs b/src/api2/access/user.rs index 72c79def..9ac9bbfa 100644 --- a/src/api2/access/user.rs +++ b/src/api2/access/user.rs @@ -1,4 +1,4 @@ -use anyhow::{bail, Error}; +use anyhow::{bail, format_err, Error}; use serde::{Serialize, Deserialize}; use serde_json::{json, Value}; use std::collections::HashMap; @@ -94,7 +94,6 @@ impl UserWithTokens { } } - #[api( input: { properties: { @@ -113,7 +112,7 @@ impl UserWithTokens { }, access: { permission: &Permission::Anybody, - description: "Returns all or just the logged-in user, depending on privileges.", + description: "Returns all or just the logged-in user (/API token owner), depending on privileges.", }, )] /// List users @@ -125,9 +124,12 @@ pub fn list_users( let (config, digest) = user::config()?; - // intentionally user only for now - let userid: Userid = rpcenv.get_auth_id().unwrap().parse()?; - let auth_id = Authid::from(userid.clone()); + let auth_id: Authid = rpcenv + .get_auth_id() + .ok_or_else(|| format_err!("no authid available"))? + .parse()?; + + let userid = auth_id.user(); let user_info = CachedUserInfo::new()?; @@ -135,7 +137,7 @@ pub fn list_users( let top_level_allowed = (top_level_privs & PRIV_SYS_AUDIT) != 0; let filter_by_privs = |user: &user::User| { - top_level_allowed || user.userid == userid + top_level_allowed || user.userid == *userid }; -- 2.20.1