From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 9D46CB84A2 for ; Mon, 4 Dec 2023 14:40:00 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 7D9B2DC65 for ; Mon, 4 Dec 2023 14:40:00 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Mon, 4 Dec 2023 14:39:59 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 8613D44785 for ; Mon, 4 Dec 2023 14:39:59 +0100 (CET) Date: Mon, 04 Dec 2023 14:39:48 +0100 From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= To: Proxmox VE development discussion References: <20231201132409.153256-1-l.wagner@proxmox.com> In-Reply-To: <20231201132409.153256-1-l.wagner@proxmox.com> MIME-Version: 1.0 User-Agent: astroid/0.16.0 (https://github.com/astroidmail/astroid) Message-Id: <1701696810.6ovldiybh5.astroid@yuna.none> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-SPAM-LEVEL: Spam detection results: 0 AWL -0.086 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment POISEN_SPAM_PILL 0.1 Meta: its spam POISEN_SPAM_PILL_1 0.1 random spam to be learned in bayes POISEN_SPAM_PILL_3 0.1 random spam to be learned in bayes SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: Re: [pve-devel] [RFC manager] api: replication: allow users to enumerate accessible replication jobs X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Dec 2023 13:40:00 -0000 On December 1, 2023 2:24 pm, Lukas Wagner wrote: > Previously, the /cluster/replication API handler would fail completely > with a HTTP 403 if a user does have VM.Audit permissions for > a single VM/CT. That was due to the 'noerr' parameter not set for > $rpcenv->check() >=20 > Signed-off-by: Lukas Wagner > --- > Not sure if this violates our API stability guarantees, so I'm sending > this as an RFC in advance. If this change is problematic, we could=20 > hide the new behavior behind an optional flag. >=20 > This change is necessary for retrieving a list of known job-ids for > enhancements to the notification matching rule edit window. this seems very much in line with how we treat other, similar list calls for various entities, and was also likely what was originally intended (the `next if !` doesn't make any sense otherwise, after all). going from a likely too strict check that is accidentally erroring out, to the proper check not erroring out is definitely not an API breaking change - if somebody was relying on this to error out if the calling user doesn't have access to all replicated VMs, then they are relying on undocumented behaviour.. consider this Reviewed-by: Fabian Gr=C3=BCnbichler > PVE/API2/ReplicationConfig.pm | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) >=20 > diff --git a/PVE/API2/ReplicationConfig.pm b/PVE/API2/ReplicationConfig.p= m > index 8af62621..d0e8a49e 100644 > --- a/PVE/API2/ReplicationConfig.pm > +++ b/PVE/API2/ReplicationConfig.pm > @@ -20,7 +20,8 @@ __PACKAGE__->register_method ({ > method =3D> 'GET', > description =3D> "List replication jobs.", > permissions =3D> { > - description =3D> "Requires the VM.Audit permission on /vms/.", > + description =3D> "Will only return replication jobs for which the calli= ng user has" > + . " VM.Audit permission on /vms/.", > user =3D> 'all', > }, > parameters =3D> { > @@ -47,7 +48,7 @@ __PACKAGE__->register_method ({ > foreach my $id (sort keys %{$cfg->{ids}}) { > my $d =3D $cfg->{ids}->{$id}; > my $vmid =3D $d->{guest}; > - next if !$rpcenv->check($authuser, "/vms/$vmid", [ 'VM.Audit' ]); > + next if !$rpcenv->check($authuser, "/vms/$vmid", [ 'VM.Audit' ], 1)= ; > $d->{id} =3D $id; > push @$res, $d; > } > --=20 > 2.39.2 >=20 >=20 >=20 > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel >=20 >=20 >=20