From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 63970B434F for ; Fri, 1 Dec 2023 14:24:14 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 481B4177F2 for ; Fri, 1 Dec 2023 14:24:14 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Fri, 1 Dec 2023 14:24:13 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 08AF8436A2 for ; Fri, 1 Dec 2023 14:24:13 +0100 (CET) From: Lukas Wagner To: pve-devel@lists.proxmox.com Date: Fri, 1 Dec 2023 14:24:09 +0100 Message-Id: <20231201132409.153256-1-l.wagner@proxmox.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.158 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment POISEN_SPAM_PILL 0.1 Meta: its spam POISEN_SPAM_PILL_1 0.1 random spam to be learned in bayes POISEN_SPAM_PILL_3 0.1 random spam to be learned in bayes SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [replicationconfig.pm] Subject: [pve-devel] [RFC manager] api: replication: allow users to enumerate accessible replication jobs X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Dec 2023 13:24:14 -0000 Previously, the /cluster/replication API handler would fail completely with a HTTP 403 if a user does have VM.Audit permissions for a single VM/CT. That was due to the 'noerr' parameter not set for $rpcenv->check() Signed-off-by: Lukas Wagner --- Not sure if this violates our API stability guarantees, so I'm sending this as an RFC in advance. If this change is problematic, we could hide the new behavior behind an optional flag. This change is necessary for retrieving a list of known job-ids for enhancements to the notification matching rule edit window. PVE/API2/ReplicationConfig.pm | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/PVE/API2/ReplicationConfig.pm b/PVE/API2/ReplicationConfig.pm index 8af62621..d0e8a49e 100644 --- a/PVE/API2/ReplicationConfig.pm +++ b/PVE/API2/ReplicationConfig.pm @@ -20,7 +20,8 @@ __PACKAGE__->register_method ({ method => 'GET', description => "List replication jobs.", permissions => { - description => "Requires the VM.Audit permission on /vms/.", + description => "Will only return replication jobs for which the calling user has" + . " VM.Audit permission on /vms/.", user => 'all', }, parameters => { @@ -47,7 +48,7 @@ __PACKAGE__->register_method ({ foreach my $id (sort keys %{$cfg->{ids}}) { my $d = $cfg->{ids}->{$id}; my $vmid = $d->{guest}; - next if !$rpcenv->check($authuser, "/vms/$vmid", [ 'VM.Audit' ]); + next if !$rpcenv->check($authuser, "/vms/$vmid", [ 'VM.Audit' ], 1); $d->{id} = $id; push @$res, $d; } -- 2.39.2