[pve-devel] [PATCH manager 1/4] ui: api token: remove record context from TokenView add button handler

[pve-devel] [PATCH manager 1/4] ui: api token: remove record context from TokenView add button handler

[Daniel Kral]

Removes the record ("rec") variable from the TokenView, as it is always
undefined, because the "Add" button is a ExtJS Button and therefore the
button handler doesn't pass a third parameter as ProxmoxButton does.

Signed-off-by: Daniel Kral <d.kral@proxmox.com>
---
Please correct me if I'm missing something here, but I tested this
through Firefox's JavaScript debugger and assumed that tbar items are
"ExtJS.button.Button" by default, except when specifing another xtype.

This will make the fix for #5722 clearer to implement.

 www/manager6/dc/TokenView.js | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/www/manager6/dc/TokenView.js b/www/manager6/dc/TokenView.js
index 69c60569..eb910feb 100644
--- a/www/manager6/dc/TokenView.js
+++ b/www/manager6/dc/TokenView.js
@@ -106,13 +106,11 @@ Ext.define('PVE.dc.TokenView', {
             {
 		text: gettext('Add'),
 		disabled: !caps.access['User.Modify'],
-		handler: function(btn, e, rec) {
+		handler: function(btn, e) {
 		    let data = {};
 		    if (me.fixedUser) {
 			data.userid = me.fixedUser;
 			data.fixedUser = true;
-		    } else if (rec && rec.data) {
-			data.userid = rec.data.userid;
 		    }
 		    let win = Ext.create('PVE.dc.TokenEdit', {
 			isCreate: true,
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH manager 2/4] ui: api token: remove unused fixed user property

[Daniel Kral]

In earlier versions of the Proxmox VE WebGUI, a separate TokenView
window could be created from a submenu item in the user's menu in the
Workspace toolbar at the top. This submenu item was dropped in the
commit `2ac41a189a7b6853013d1b07bb9788612620ff29` (ui: drop login-user
fixed token edit due to multi window/z-index issues).

This change removes the unused TokenView window component with all
unused references to the `fixedUser` property, which is always unused as
the only provider for this property was the TokenView window component.

Signed-off-by: Daniel Kral <d.kral@proxmox.com>
---
Please correct me if I'm missing something here, but I couldn't find a
usage of the TokenView window or fixedUser property anywhere else and I
assumed that it won't be needed in the future anymore.

This will make the fix for #5722 clearer to implement.

 www/manager6/dc/TokenEdit.js |  3 +-
 www/manager6/dc/TokenView.js | 62 ------------------------------------
 2 files changed, 1 insertion(+), 64 deletions(-)

diff --git a/www/manager6/dc/TokenEdit.js b/www/manager6/dc/TokenEdit.js
index 3b25c739..d1c8300a 100644
--- a/www/manager6/dc/TokenEdit.js
+++ b/www/manager6/dc/TokenEdit.js
@@ -8,7 +8,6 @@ Ext.define('PVE.dc.TokenEdit', {
 
     isAdd: true,
     isCreate: false,
-    fixedUser: false,
 
     method: 'POST',
     url: '/api2/extjs/access/users/',
@@ -33,7 +32,7 @@ Ext.define('PVE.dc.TokenEdit', {
 	    {
 		xtype: 'pmxDisplayEditField',
 		cbind: {
-		    editable: (get) => get('isCreate') && !get('fixedUser'),
+		    editable: '{isCreate}',
 		},
 		submitValue: true,
 		editConfig: {
diff --git a/www/manager6/dc/TokenView.js b/www/manager6/dc/TokenView.js
index eb910feb..7d6d4274 100644
--- a/www/manager6/dc/TokenView.js
+++ b/www/manager6/dc/TokenView.js
@@ -7,9 +7,6 @@ Ext.define('PVE.dc.TokenView', {
     stateful: true,
     stateId: 'grid-tokens',
 
-    // use fixed user
-    fixedUser: undefined,
-
     initComponent: function() {
 	let me = this;
 
@@ -22,34 +19,6 @@ Ext.define('PVE.dc.TokenView', {
 	});
 
 	let reload = function() {
-	    if (me.fixedUser) {
-		Proxmox.Utils.API2Request({
-		    url: `/access/users/${encodeURIComponent(me.fixedUser)}/token`,
-		    method: 'GET',
-		    failure: function(response, opts) {
-			Proxmox.Utils.setErrorMask(me, response.htmlStatus);
-			me.load_task.delay(me.load_delay);
-		    },
-		    success: function(response, opts) {
-			Proxmox.Utils.setErrorMask(me, false);
-			let result = Ext.decode(response.responseText);
-			let data = result.data || [];
-			let records = [];
-			Ext.Array.each(data, function(token) {
-			    let r = {};
-			    r.id = me.fixedUser + '!' + token.tokenid;
-			    r.userid = me.fixedUser;
-			    r.tokenid = token.tokenid;
-			    r.comment = token.comment;
-			    r.expire = token.expire;
-			    r.privsep = token.privsep === 1;
-			    records.push(r);
-			});
-			store.loadData(records);
-		    },
-		});
-		return;
-	    }
 	    Proxmox.Utils.API2Request({
 		url: '/access/users/?full=1',
 		method: 'GET',
@@ -108,13 +77,8 @@ Ext.define('PVE.dc.TokenView', {
 		disabled: !caps.access['User.Modify'],
 		handler: function(btn, e) {
 		    let data = {};
-		    if (me.fixedUser) {
-			data.userid = me.fixedUser;
-			data.fixedUser = true;
-		    }
 		    let win = Ext.create('PVE.dc.TokenEdit', {
 			isCreate: true,
-			fixedUser: me.fixedUser,
 		    });
 		    win.setValues(data);
 		    win.on('destroy', reload);
@@ -168,7 +132,6 @@ Ext.define('PVE.dc.TokenView', {
 			let realm = Ext.String.htmlEncode(uid.substr(realmIndex));
 			return `${user} <span style='float:right;'>${realm}</span>`;
 		    },
-		    hidden: !!me.fixedUser,
 		    flex: 2,
 		},
 		{
@@ -204,31 +167,6 @@ Ext.define('PVE.dc.TokenView', {
 	    },
 	});
 
-	if (me.fixedUser) {
-	    reload();
-	}
-
 	me.callParent();
     },
 });
-
-Ext.define('PVE.window.TokenView', {
-    extend: 'Ext.window.Window',
-    mixins: ['Proxmox.Mixin.CBind'],
-
-    modal: true,
-    subject: gettext('API Tokens'),
-    scrollable: true,
-    layout: 'fit',
-    width: 800,
-    height: 400,
-    cbind: {
-	title: gettext('API Tokens') + ' - {userid}',
-    },
-    items: [{
-	xtype: 'pveTokenView',
-	cbind: {
-	    fixedUser: '{userid}',
-	},
-    }],
-});
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH manager 3/4] fix #5722: ui: api token: allow unprivileged users to create their own api tokens

[Daniel Kral]

Since `48a66a12ee19a8d14e92827623aa005c2ab2c06c` (ui: api token:
rewrite), the TokenEdit edit modal is prefilled with the userid, which
is currently logged in.

The selector items in Proxmox.form.UserSelector used in the TokenEdit
component are filled from the `/access/users` API endpoint, therefore
the user selection is restricted to which the user has "Sys.Audit" or
"User.Modify" permissions and the current authenticated user themselves.

Therefore, the button can be accessible to unprivileged users as well.
This change allows users without the "User.Modify" permission to add API
tokens, since this is already allowed by the API endpoint
`/access/users/{userid}/token/{tokenid}`.

Signed-off-by: Daniel Kral <d.kral@proxmox.com>
---
 www/manager6/dc/TokenView.js | 1 -
 1 file changed, 1 deletion(-)

diff --git a/www/manager6/dc/TokenView.js b/www/manager6/dc/TokenView.js
index 7d6d4274..d275a1c5 100644
--- a/www/manager6/dc/TokenView.js
+++ b/www/manager6/dc/TokenView.js
@@ -74,7 +74,6 @@ Ext.define('PVE.dc.TokenView', {
         let tbar = [
             {
 		text: gettext('Add'),
-		disabled: !caps.access['User.Modify'],
 		handler: function(btn, e) {
 		    let data = {};
 		    let win = Ext.create('PVE.dc.TokenEdit', {
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH manager 4/4] ui: api token: allow unprivileged users to modify their own api tokens

[Daniel Kral]

Allows unprivileged users to edit and remove their own API tokens, as
this is already allowed by the respective PUT and DELETE methods on the
API endpoint `/access/users/{userid}/token/{tokenid}`.

Signed-off-by: Daniel Kral <d.kral@proxmox.com>
---
As this cannot be seen in the diff directly: The run_editor is also used
when double-clicking the record item (in addition when clicking the Edit
button while the record item is selected).

This has not been requested in the BugZilla #5722, but has similar
intentions and made sense to include into this patch series as well.

 www/manager6/dc/TokenView.js | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/www/manager6/dc/TokenView.js b/www/manager6/dc/TokenView.js
index d275a1c5..f71ab905 100644
--- a/www/manager6/dc/TokenView.js
+++ b/www/manager6/dc/TokenView.js
@@ -57,8 +57,12 @@ Ext.define('PVE.dc.TokenView', {
 	    return `/access/users/${uid}/token/${tid}`;
 	};
 
+	let hasTokenCRUDPermissions = function(userid) {
+	    return userid === Proxmox.UserName || !!caps.access['User.Modify'];
+	};
+
 	let run_editor = function(rec) {
-	    if (!caps.access['User.Modify']) {
+	    if (!hasTokenCRUDPermissions(rec.data.userid)) {
 		return;
 	    }
 
@@ -88,14 +92,14 @@ Ext.define('PVE.dc.TokenView', {
 		xtype: 'proxmoxButton',
 		text: gettext('Edit'),
 		disabled: true,
-		enableFn: (rec) => !!caps.access['User.Modify'],
+		enableFn: (rec) => hasTokenCRUDPermissions(rec.data.userid),
 		selModel: sm,
 		handler: (btn, e, rec) => run_editor(rec),
 	    },
 	    {
 		xtype: 'proxmoxStdRemoveButton',
 		selModel: sm,
-		enableFn: (rec) => !!caps.access['User.Modify'],
+		enableFn: (rec) => hasTokenCRUDPermissions(rec.data.userid),
 		callback: reload,
 		getUrl: urlFromRecord,
 	    },
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH manager 1/4] ui: api token: remove record context from TokenView add button handler

[Fabian Grünbichler]

Consider the whole series

Tested-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

On October 31, 2024 2:46 pm, Daniel Kral wrote:
> Removes the record ("rec") variable from the TokenView, as it is always
> undefined, because the "Add" button is a ExtJS Button and therefore the
> button handler doesn't pass a third parameter as ProxmoxButton does.
> 
> Signed-off-by: Daniel Kral <d.kral@proxmox.com>
> ---
> Please correct me if I'm missing something here, but I tested this
> through Firefox's JavaScript debugger and assumed that tbar items are
> "ExtJS.button.Button" by default, except when specifing another xtype.
> 
> This will make the fix for #5722 clearer to implement.
> 
>  www/manager6/dc/TokenView.js | 4 +---
>  1 file changed, 1 insertion(+), 3 deletions(-)
> 
> diff --git a/www/manager6/dc/TokenView.js b/www/manager6/dc/TokenView.js
> index 69c60569..eb910feb 100644
> --- a/www/manager6/dc/TokenView.js
> +++ b/www/manager6/dc/TokenView.js
> @@ -106,13 +106,11 @@ Ext.define('PVE.dc.TokenView', {
>              {
>  		text: gettext('Add'),
>  		disabled: !caps.access['User.Modify'],
> -		handler: function(btn, e, rec) {
> +		handler: function(btn, e) {
>  		    let data = {};
>  		    if (me.fixedUser) {
>  			data.userid = me.fixedUser;
>  			data.fixedUser = true;
> -		    } else if (rec && rec.data) {
> -			data.userid = rec.data.userid;
>  		    }
>  		    let win = Ext.create('PVE.dc.TokenEdit', {
>  			isCreate: true,
> -- 
> 2.39.5
> 
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
> 


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel