From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 537B98582B for ; Mon, 20 Dec 2021 11:31:25 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 4627E1B21C for ; Mon, 20 Dec 2021 11:31:25 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 5B4CB1B205 for ; Mon, 20 Dec 2021 11:31:21 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 312A644E29 for ; Mon, 20 Dec 2021 11:31:21 +0100 (CET) From: Wolfgang Bumiller To: pve-devel@lists.proxmox.com Date: Mon, 20 Dec 2021 11:31:15 +0100 Message-Id: <20211220103115.146070-1-w.bumiller@proxmox.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.407 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pve-devel] [PATCH access-control] fix realm sync permissions X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Dec 2021 10:31:25 -0000 The userid-* permission check variants work on $param->{userid} directly which does not exist for this call. Also, they work on the realm of the user being checked, rather than the realm provided as parameter. The result was that as non-root user this always failed with the message "userid '' too short" Fix this by making the check explicitly work like in the description. Signed-off-by: Wolfgang Bumiller --- src/PVE/API2/Domains.pm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/PVE/API2/Domains.pm b/src/PVE/API2/Domains.pm index 9c2b254..56e8394 100644 --- a/src/PVE/API2/Domains.pm +++ b/src/PVE/API2/Domains.pm @@ -397,8 +397,8 @@ __PACKAGE__->register_method ({ description => "'Realm.AllocateUser' on '/access/realm/' and " ." 'User.Modify' permissions to '/access/groups/'.", check => [ 'and', - [ 'userid-param', 'Realm.AllocateUser' ], - [ 'userid-group', ['User.Modify'] ], + ['perm', '/access/realm/{realm}', ['Realm.AllocateUser']], + ['perm', '/access/groups', ['User.Modify']], ], }, description => "Syncs users and/or groups from the configured LDAP to user.cfg." -- 2.30.2