public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* [pve-devel] [RFC/PATCH storage] api: disk list: allow if an audit permission for the node is present
@ 2021-03-10  9:26 Fabian Ebner
  2021-03-11 13:16 ` [pve-devel] applied: " Thomas Lamprecht
  0 siblings, 1 reply; 2+ messages in thread
From: Fabian Ebner @ 2021-03-10  9:26 UTC (permalink / raw)
  To: pve-devel

as that seems to be the more natural permission path for listing a nodes local
disks. For backwards compatibility, the old permission check has to be kept
(relevant with propagate=0).

This API call was originally part of the Ceph API and got copied here later,
which might explain the current permission check.

In the UI, the Disk panel is visible with a node audit permission, but the API
call itself failed without the '/' audit permission.

Signed-off-by: Fabian Ebner <f.ebner@proxmox.com>
---
 PVE/API2/Disks.pm | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/PVE/API2/Disks.pm b/PVE/API2/Disks.pm
index d2ee81d..33bca76 100644
--- a/PVE/API2/Disks.pm
+++ b/PVE/API2/Disks.pm
@@ -82,7 +82,10 @@ __PACKAGE__->register_method ({
     protected => 1,
     proxyto => 'node',
     permissions => {
-	check => ['perm', '/', ['Sys.Audit', 'Datastore.Audit'], any => 1],
+	check => ['or',
+	    ['perm', '/', ['Sys.Audit', 'Datastore.Audit'], any => 1],
+	    ['perm', '/nodes/{node}', ['Sys.Audit', 'Datastore.Audit'], any => 1],
+	],
     },
     parameters => {
 	additionalProperties => 0,
-- 
2.20.1





^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2021-03-11 13:16 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-10  9:26 [pve-devel] [RFC/PATCH storage] api: disk list: allow if an audit permission for the node is present Fabian Ebner
2021-03-11 13:16 ` [pve-devel] applied: " Thomas Lamprecht

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal