From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 4C74B1FF16B for ; Thu, 31 Oct 2024 13:16:58 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 729C18DCB; Thu, 31 Oct 2024 13:17:02 +0100 (CET) From: Christian Ebner To: pbs-devel@lists.proxmox.com Date: Thu, 31 Oct 2024 13:15:08 +0100 Message-Id: <20241031121519.434337-19-c.ebner@proxmox.com> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20241031121519.434337-1-c.ebner@proxmox.com> References: <20241031121519.434337-1-c.ebner@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.030 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pbs-devel] [PATCH v6 proxmox-backup 18/29] api: config: factor out sync job owner check X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" Move the sync job owner check to its own helper function, for it to be reused for the owner check for sync jobs in push direction. No functional change intended. Signed-off-by: Christian Ebner --- changes since version 5: - use pre-existing check_backup_owner helper src/api2/config/sync.rs | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/src/api2/config/sync.rs b/src/api2/config/sync.rs index 38325f5b2..3963049e9 100644 --- a/src/api2/config/sync.rs +++ b/src/api2/config/sync.rs @@ -14,6 +14,7 @@ use pbs_api_types::{ use pbs_config::sync; use pbs_config::CachedUserInfo; +use pbs_datastore::check_backup_owner; pub fn check_sync_job_read_access( user_info: &CachedUserInfo, @@ -34,6 +35,14 @@ pub fn check_sync_job_read_access( } } +fn is_correct_owner(auth_id: &Authid, job: &SyncJobConfig) -> bool { + match job.owner { + Some(ref owner) => check_backup_owner(owner, auth_id).is_ok(), + // default sync owner + None => auth_id == Authid::root_auth_id(), + } +} + /// checks whether user can run the corresponding pull job /// /// namespace creation/deletion ACL and backup group ownership checks happen in the pull code directly. @@ -54,17 +63,8 @@ pub fn check_sync_job_modify_access( } } - let correct_owner = match job.owner { - Some(ref owner) => { - owner == auth_id - || (owner.is_token() && !auth_id.is_token() && owner.user() == auth_id.user()) - } - // default sync owner - None => auth_id == Authid::root_auth_id(), - }; - // same permission as changing ownership after syncing - if !correct_owner && ns_anchor_privs & PRIV_DATASTORE_MODIFY == 0 { + if !is_correct_owner(auth_id, job) && ns_anchor_privs & PRIV_DATASTORE_MODIFY == 0 { return false; } -- 2.39.5 _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel