From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <l.stechauner@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 07334718DE
 for <pve-devel@lists.proxmox.com>; Thu, 20 May 2021 12:04:02 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 037D023327
 for <pve-devel@lists.proxmox.com>; Thu, 20 May 2021 12:04:02 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS id 1802C23310
 for <pve-devel@lists.proxmox.com>; Thu, 20 May 2021 12:04:01 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id D35A14662E
 for <pve-devel@lists.proxmox.com>; Thu, 20 May 2021 12:03:54 +0200 (CEST)
From: Lorenz Stechauner <l.stechauner@proxmox.com>
To: pve-devel@lists.proxmox.com
Date: Thu, 20 May 2021 12:03:40 +0200
Message-Id: <20210520100341.31811-3-l.stechauner@proxmox.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20210520100341.31811-1-l.stechauner@proxmox.com>
References: <20210520100341.31811-1-l.stechauner@proxmox.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.377 Adjusted score from AWL reputation of From: address
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: [pve-devel] [PATCH v2 manager 1/1] fix #3402: add Pool.Audit
 permission
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Thu, 20 May 2021 10:04:02 -0000

everywhere where Pool.Allocate was unnecessarly used it was replaced
with Pool.Audit.

`/cluster/resources` now returns pool infomation for guests only if
the requesting user has the Pool.Audit permission on the pool.

`/pool/` now returns only pools where the requesting user has the
Pool.Audit permission.

Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
---
 PVE/API2/Cluster.pm | 7 ++++++-
 PVE/API2/Pool.pm    | 7 ++++---
 PVE/API2/VZDump.pm  | 2 +-
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/PVE/API2/Cluster.pm b/PVE/API2/Cluster.pm
index ab5b28a1..641b846d 100644
--- a/PVE/API2/Cluster.pm
+++ b/PVE/API2/Cluster.pm
@@ -332,7 +332,7 @@ __PACKAGE__->register_method({
 	    for my $pool (sort keys %{$usercfg->{pools}}) {
 		my $d = $usercfg->{pools}->{$pool};
 
-		next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Allocate' ], 1);
+		next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Audit' ], 1);
 
 		my $entry = {
 		    id => "/pool/$pool",
@@ -384,6 +384,11 @@ __PACKAGE__->register_method({
 		    $entry->{lock} = $lock;
 		}
 
+		if (defined($entry->{pool}) &&
+		    !$rpcenv->check($authuser, "/pool/$entry->{pool}", ['Pool.Audit'], 1)) {
+		    delete $entry->{pool};
+		}
+
 		# get ha status
 		if (my $hatype = $hatypemap->{$entry->{type}}) {
 		    my $sid = "$hatype:$vmid";
diff --git a/PVE/API2/Pool.pm b/PVE/API2/Pool.pm
index 43375b02..28c29ab8 100644
--- a/PVE/API2/Pool.pm
+++ b/PVE/API2/Pool.pm
@@ -22,7 +22,7 @@ __PACKAGE__->register_method ({
     method => 'GET',
     description => "Pool index.",
     permissions => {
-	description => "List all pools where you have Pool.Allocate or VM.Allocate permissions on /pool/<pool>.",
+	description => "List all pools where you have Pool.Audit permissions on /pool/<pool>.",
 	user => 'all',
     },
     parameters => {
@@ -47,9 +47,10 @@ __PACKAGE__->register_method ({
 
 	my $usercfg = $rpcenv->{user_cfg};
 
+
 	my $res = [];
 	for my $pool (sort keys %{$usercfg->{pools}}) {
-	    next if !$rpcenv->check_any($authuser, "/pool/$pool", [ 'Pool.Allocate', 'VM.Allocate' ], 1);
+	    next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Audit' ], 1);
 
 	    my $entry = { poolid => $pool };
 	    my $pool_config = $usercfg->{pools}->{$pool};
@@ -200,7 +201,7 @@ __PACKAGE__->register_method ({
     path => '{poolid}',
     method => 'GET',
     permissions => {
-	check => ['perm', '/pool/{poolid}', ['Pool.Allocate']],
+	check => ['perm', '/pool/{poolid}', ['Pool.Audit']],
     },
     description => "Get pool configuration.",
     parameters => {
diff --git a/PVE/API2/VZDump.pm b/PVE/API2/VZDump.pm
index 82dd9415..4093d82f 100644
--- a/PVE/API2/VZDump.pm
+++ b/PVE/API2/VZDump.pm
@@ -226,7 +226,7 @@ __PACKAGE__->register_method ({
 
 	my $pool = $res->{pool};
 	if (defined($pool) &&
-	    !$rpcenv->check($authuser, "/pool/$pool", ['Pool.Allocate'], 1)) {
+	    !$rpcenv->check($authuser, "/pool/$pool", ['Pool.Audit'], 1)) {
 	    delete $res->{pool};
 	}
 
-- 
2.20.1