From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 76DC88A028 for ; Mon, 1 Aug 2022 14:01:24 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 653EF2F513 for ; Mon, 1 Aug 2022 14:01:24 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Mon, 1 Aug 2022 14:01:23 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 34D2642CE6 for ; Mon, 1 Aug 2022 14:01:23 +0200 (CEST) Date: Mon, 01 Aug 2022 14:01:17 +0200 From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= To: Proxmox VE development discussion References: <20220719114639.3035048-1-d.csapak@proxmox.com> <20220719114639.3035048-4-d.csapak@proxmox.com> In-Reply-To: <20220719114639.3035048-4-d.csapak@proxmox.com> MIME-Version: 1.0 User-Agent: astroid/0.15.0 (https://github.com/astroidmail/astroid) Message-Id: <1659354771.rznwko94vg.astroid@nora.none> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-SPAM-LEVEL: Spam detection results: 0 AWL 0.161 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] [PATCH access-control 2/2] PVE/RPCEnvironment: add helper for checking hw permissions X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Aug 2022 12:01:24 -0000 On July 19, 2022 1:46 pm, Dominik Csapak wrote: > like check_vm_perm, etc. >=20 > Signed-off-by: Dominik Csapak > --- > src/PVE/RPCEnvironment.pm | 8 ++++++++ > 1 file changed, 8 insertions(+) >=20 > diff --git a/src/PVE/RPCEnvironment.pm b/src/PVE/RPCEnvironment.pm > index 7c37c6e..c1b712d 100644 > --- a/src/PVE/RPCEnvironment.pm > +++ b/src/PVE/RPCEnvironment.pm > @@ -356,6 +356,14 @@ sub check_vm_perm { > return $self->check_full($user, "/vms/$vmid", $privs, $any, $noerr); > }; > =20 > +sub check_hw_perm { > + my ($self, $user, $id, $privs, $any, $noerr) =3D @_; > + > + my $cfg =3D $self->{user_cfg}; > + > + return $self->check_full($user, "/hardware/$id", $privs, $any, $noer= r); > +} is this really needed (here?)? I mean, yes, $rpcenv->check_hw_perm('foo@bar', "hardware_id", ['Hardware.Use'], 0, 0) is a (tiny) bit shorter than $rpcenv->check_full('foo@bar', "/hardware/hardware_id", ['Hardware.Use'], 0= , 0) but ;) note that check_vm has a special job and is not just a wrapper for=20 checking $ID against /$PREFIX/$ID, it is specifically for checking guest=20 ACLs while honoring pool ACLs for the special case of "VM is currently=20 being created and not formally part of the pool yet".. similary, check_perm_modify serves the purpose of containing all the=20 "modify $path" -> "actual privilege" mappings in a single place. the rest of the check_foo subs are low-level building blocks/helpers. > + > sub is_group_member { > my ($self, $group, $user) =3D @_; > =20 > --=20 > 2.30.2 >=20 >=20 >=20 > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel >=20 >=20 >=20