From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <l.wagner@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 4902361D04
 for <pve-devel@lists.proxmox.com>; Wed, 26 Jul 2023 15:41:54 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 3288A7A59
 for <pve-devel@lists.proxmox.com>; Wed, 26 Jul 2023 15:41:54 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS
 for <pve-devel@lists.proxmox.com>; Wed, 26 Jul 2023 15:41:53 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 9DAE045974
 for <pve-devel@lists.proxmox.com>; Wed, 26 Jul 2023 15:41:53 +0200 (CEST)
From: Lukas Wagner <l.wagner@proxmox.com>
To: pve-devel@lists.proxmox.com
Date: Wed, 26 Jul 2023 15:41:45 +0200
Message-Id: <20230726134145.700213-1-l.wagner@proxmox.com>
X-Mailer: git-send-email 2.39.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL -0.056 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 T_SCC_BODY_TEXT_LINE    -0.01 -
Subject: [pve-devel] [PATCH manager] ui: acl add: show warning if root@pam
 is selected
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Wed, 26 Jul 2023 13:41:54 -0000

Currently, users are able to add ACL entries for the root@pam user.
Since this user always has full permissions, no entry in the ACL
tree will be saved, and consequently no new entry shows up in the UI
after pressing 'Add' in the dialog. This can be irritating if the
user does not know about this 'implementation detail'.

This commit adds a little warning that pops up if root@pam is
selected:

  'root@pam always has full permissions. No entry will be added.'

The same problem also exists for API token permissions. Here it is
not really easy to add the warning though, since we do not know if
the token has separated privileges enable or not.

Signed-off-by: Lukas Wagner <l.wagner@proxmox.com>
---
 www/manager6/dc/ACLView.js | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/www/manager6/dc/ACLView.js b/www/manager6/dc/ACLView.js
index 79f900cd..ec81a487 100644
--- a/www/manager6/dc/ACLView.js
+++ b/www/manager6/dc/ACLView.js
@@ -35,6 +35,20 @@ Ext.define('PVE.dc.ACLAdd', {
 		xtype: 'pmxUserSelector',
 		name: 'users',
 		fieldLabel: gettext('User'),
+		listeners: {
+		    change: function(field, newVal) {
+			this.nextSibling('displayfield[reference=root-selected-warning]')
+			    .setVisible(newVal === 'root@pam');
+		    }
+		},
+	    });
+	    items.push({
+		    xtype: 'displayfield',
+		    reference: 'root-selected-warning',
+		    userCls: 'pmx-hint',
+		    hidden: true,
+		    value: '\'root@pam\' ' +
+			gettext('always has full permissions. No entry will be added.'),
 	    });
 	} else if (me.aclType === 'token') {
 	    me.subject = gettext("API Token Permission");
-- 
2.39.2