* [pve-devel] [PATCH access-control] fix realm sync permissions
@ 2021-12-20 10:31 Wolfgang Bumiller
2021-12-20 19:44 ` [pve-devel] applied: " Thomas Lamprecht
0 siblings, 1 reply; 2+ messages in thread
From: Wolfgang Bumiller @ 2021-12-20 10:31 UTC (permalink / raw)
To: pve-devel
The userid-* permission check variants work on
$param->{userid} directly which does not exist for this
call. Also, they work on the realm of the user being
checked, rather than the realm provided as parameter.
The result was that as non-root user this always failed
with the message "userid '' too short"
Fix this by making the check explicitly work like in the
description.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
src/PVE/API2/Domains.pm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/PVE/API2/Domains.pm b/src/PVE/API2/Domains.pm
index 9c2b254..56e8394 100644
--- a/src/PVE/API2/Domains.pm
+++ b/src/PVE/API2/Domains.pm
@@ -397,8 +397,8 @@ __PACKAGE__->register_method ({
description => "'Realm.AllocateUser' on '/access/realm/<realm>' and "
." 'User.Modify' permissions to '/access/groups/'.",
check => [ 'and',
- [ 'userid-param', 'Realm.AllocateUser' ],
- [ 'userid-group', ['User.Modify'] ],
+ ['perm', '/access/realm/{realm}', ['Realm.AllocateUser']],
+ ['perm', '/access/groups', ['User.Modify']],
],
},
description => "Syncs users and/or groups from the configured LDAP to user.cfg."
--
2.30.2
^ permalink raw reply [flat|nested] 2+ messages in thread
* [pve-devel] applied: [PATCH access-control] fix realm sync permissions
2021-12-20 10:31 [pve-devel] [PATCH access-control] fix realm sync permissions Wolfgang Bumiller
@ 2021-12-20 19:44 ` Thomas Lamprecht
0 siblings, 0 replies; 2+ messages in thread
From: Thomas Lamprecht @ 2021-12-20 19:44 UTC (permalink / raw)
To: Proxmox VE development discussion, Wolfgang Bumiller
On 20/12/2021 11:31, Wolfgang Bumiller wrote:
> The userid-* permission check variants work on
> $param->{userid} directly which does not exist for this
> call. Also, they work on the realm of the user being
> checked, rather than the realm provided as parameter.
>
> The result was that as non-root user this always failed
> with the message "userid '' too short"
>
> Fix this by making the check explicitly work like in the
> description.
>
> Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
> ---
> src/PVE/API2/Domains.pm | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
>
applied, thanks!
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-12-20 19:44 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-20 10:31 [pve-devel] [PATCH access-control] fix realm sync permissions Wolfgang Bumiller
2021-12-20 19:44 ` [pve-devel] applied: " Thomas Lamprecht
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox