public inbox for pdm-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: "Lukas Wagner" <l.wagner@proxmox.com>
To: "Proxmox Datacenter Manager development discussion"
	<pdm-devel@lists.proxmox.com>,
	"Shannon Sterz" <s.sterz@proxmox.com>
Subject: Re: [pdm-devel] [PATCH proxmox v3 5/5] access-control: allow reading all acls of the current authid
Date: Thu, 13 Nov 2025 11:23:07 +0100	[thread overview]
Message-ID: <DE7HRBJKEO5H.2J5QY8GMNNV53@proxmox.com> (raw)
In-Reply-To: <20251106143836.288888-6-s.sterz@proxmox.com>

On Thu Nov 6, 2025 at 3:38 PM CET, Shannon Sterz wrote:
> adds a parameter to the `API_METHOD_READ_ACL` endpoint to allow
> listing all ACL entries of the currently authenticated Authid.
> allowing a user to see their own ACLs does not really exposes any
> additional confidential information. however, being able to query this
> information allows us, for example, to adapt ui components to a users
> capabilities.
>
> Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
> ---
>  proxmox-access-control/src/api/acl.rs | 37 ++++++++++++++++++++++-----
>  1 file changed, 31 insertions(+), 6 deletions(-)
>
> diff --git a/proxmox-access-control/src/api/acl.rs b/proxmox-access-control/src/api/acl.rs
> index 4326215c..8bdbe0ed 100644
> --- a/proxmox-access-control/src/api/acl.rs
> +++ b/proxmox-access-control/src/api/acl.rs
> @@ -23,6 +23,12 @@ use crate::CachedUserInfo;
>                  optional: true,
>                  default: false,
>              },
> +            "exact-authid": {
> +                description: "Whether to return ACL entries for the exact current authid only.",
> +                type: bool,
> +                optional: true,
> +                default: false,
> +            }
>          },
>      },
>      returns: {
> @@ -34,13 +40,17 @@ use crate::CachedUserInfo;
>      },
>      access: {
>          permission: &Permission::Anybody,
> -        description: "Returns all ACLs if user has sufficient privileges on this endpoint, otherwise it is limited to the user's API tokens.",
> +        description: "Returns all ACLs if a user has sufficient privileges on this endpoint. \
> +            Otherwise it is limited to the user's API tokens. However, if `exact-authid` is \
> +            specified, all ACLs of the current Auhtid will be returned, whether the Authid has \
                                                     ^
nit: typo in Authid

> +            privileges to list other ACLs here or not.",
>      },
>  )]
>  /// Get ACL entries, can be filter by path.
>  pub fn read_acl(
>      path: Option<String>,
>      exact: bool,
> +    exact_authid: bool,
>      rpcenv: &mut dyn RpcEnvironment,
>  ) -> Result<Vec<AclListItem>, Error> {
>      let auth_id = rpcenv
> @@ -58,7 +68,11 @@ pub fn read_acl(
>          )
>          .is_err();
>  
> -    let filter = if filter_entries { Some(auth_id) } else { None };
> +    let filter = if filter_entries || exact_authid {
> +        Some(auth_id)
> +    } else {
> +        None
> +    };
>  
>      let (mut tree, digest) = crate::acl::config()?;
>  
> @@ -74,7 +88,13 @@ pub fn read_acl(
>  
>      rpcenv["digest"] = hex::encode(digest).into();
>  
> -    Ok(extract_acl_node_data(node, path.as_deref(), exact, &filter))
> +    Ok(extract_acl_node_data(
> +        node,
> +        path.as_deref(),
> +        exact_authid,
> +        exact,
> +        &filter,
> +    ))
>  }
>  
>  #[api(
> @@ -241,7 +261,8 @@ pub fn update_acl(
>  fn extract_acl_node_data(
>      node: &AclTreeNode,
>      path: Option<&str>,
> -    exact: bool,
> +    exact_authid: bool,
> +    exact_path: bool,
>      auth_id_filter: &Option<Authid>,
>  ) -> Vec<AclListItem> {
>      // tokens can't have tokens, so we can early return
> @@ -259,7 +280,11 @@ fn extract_acl_node_data(
>  
>          for (user, roles) in &node.users {
>              if let Some(auth_id_filter) = auth_id_filter {
> -                if !user.is_token() || user.user() != auth_id_filter.user() {
> +                if exact_authid {
> +                    if user != auth_id_filter {
> +                        continue;
> +                    }
> +                } else if !user.is_token() || user.user() != auth_id_filter.user() {
>                      continue;
>                  }
>              }
> @@ -291,7 +316,7 @@ fn extract_acl_node_data(
>              }
>          }
>  
> -        if !exact {
> +        if !exact_path {
>              nodes.extend(
>                  node.children
>                      .iter()



_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel


  reply	other threads:[~2025-11-13 10:22 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-11-06 14:38 [pdm-devel] [PATCH datacenter-manager/proxmox/yew-comp v3 00/10] add support for checking acl permissions in (yew) front-ends Shannon Sterz
2025-11-06 14:38 ` [pdm-devel] [PATCH proxmox v3 1/5] access-control: add acl feature to only expose types and the AclTree Shannon Sterz
2025-11-06 14:38 ` [pdm-devel] [PATCH proxmox v3 2/5] access-control: use format strings where possible Shannon Sterz
2025-11-06 14:38 ` [pdm-devel] [PATCH proxmox v3 3/5] access-control: move functions querying privileges to the AclTree Shannon Sterz
2025-11-06 14:38 ` [pdm-devel] [PATCH proxmox v3 4/5] access-control: derive Debug and PartialEq on AclTree and AclTreeNode Shannon Sterz
2025-11-06 14:38 ` [pdm-devel] [PATCH proxmox v3 5/5] access-control: allow reading all acls of the current authid Shannon Sterz
2025-11-13 10:23   ` Lukas Wagner [this message]
2025-11-06 14:38 ` [pdm-devel] [PATCH yew-comp v3 1/2] acl_context: add AclContext and AclContextProvider Shannon Sterz
2025-11-06 14:38 ` [pdm-devel] [PATCH yew-comp v3 2/2] http_helpers: reload LocalAclTree when logging in or refreshing a ticket Shannon Sterz
2025-11-06 14:38 ` [pdm-devel] [PATCH datacenter-manager v3 1/3] server/api-types: move AccessControlConfig to shared api types Shannon Sterz
2025-11-13 10:15   ` Lukas Wagner
2025-11-13 10:23     ` Shannon Sterz
2025-11-06 14:38 ` [pdm-devel] [PATCH datacenter-manager v3 2/3] ui: add an AclContext via the AclContextProvider to the main app ui Shannon Sterz
2025-11-06 14:38 ` [pdm-devel] [PATCH datacenter-manager v3 3/3] ui: main menu: use the AclContext to hide the Notes if appropriate Shannon Sterz
2025-11-13 10:21 ` [pdm-devel] [PATCH datacenter-manager/proxmox/yew-comp v3 00/10] add support for checking acl permissions in (yew) front-ends Lukas Wagner
2025-11-13 10:26   ` Shannon Sterz
2025-11-13 13:58 ` Fabian Grünbichler
2025-11-13 14:27   ` Shannon Sterz
2025-11-13 16:18     ` Thomas Lamprecht
2025-11-13 16:39       ` Shannon Sterz
2025-11-13 17:06         ` Thomas Lamprecht
2025-11-14 14:44 ` [pdm-devel] Superseded: " Shannon Sterz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DE7HRBJKEO5H.2J5QY8GMNNV53@proxmox.com \
    --to=l.wagner@proxmox.com \
    --cc=pdm-devel@lists.proxmox.com \
    --cc=s.sterz@proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal