public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* [pve-devel] [PATCH manager 1/4] ui: api token: remove record context from TokenView add button handler
@ 2024-10-31 13:46 Daniel Kral
  2024-10-31 13:46 ` [pve-devel] [PATCH manager 2/4] ui: api token: remove unused fixed user property Daniel Kral
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Daniel Kral @ 2024-10-31 13:46 UTC (permalink / raw)
  To: pve-devel

Removes the record ("rec") variable from the TokenView, as it is always
undefined, because the "Add" button is a ExtJS Button and therefore the
button handler doesn't pass a third parameter as ProxmoxButton does.

Signed-off-by: Daniel Kral <d.kral@proxmox.com>
---
Please correct me if I'm missing something here, but I tested this
through Firefox's JavaScript debugger and assumed that tbar items are
"ExtJS.button.Button" by default, except when specifing another xtype.

This will make the fix for #5722 clearer to implement.

 www/manager6/dc/TokenView.js | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/www/manager6/dc/TokenView.js b/www/manager6/dc/TokenView.js
index 69c60569..eb910feb 100644
--- a/www/manager6/dc/TokenView.js
+++ b/www/manager6/dc/TokenView.js
@@ -106,13 +106,11 @@ Ext.define('PVE.dc.TokenView', {
             {
 		text: gettext('Add'),
 		disabled: !caps.access['User.Modify'],
-		handler: function(btn, e, rec) {
+		handler: function(btn, e) {
 		    let data = {};
 		    if (me.fixedUser) {
 			data.userid = me.fixedUser;
 			data.fixedUser = true;
-		    } else if (rec && rec.data) {
-			data.userid = rec.data.userid;
 		    }
 		    let win = Ext.create('PVE.dc.TokenEdit', {
 			isCreate: true,
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [pve-devel] [PATCH manager 2/4] ui: api token: remove unused fixed user property
  2024-10-31 13:46 [pve-devel] [PATCH manager 1/4] ui: api token: remove record context from TokenView add button handler Daniel Kral
@ 2024-10-31 13:46 ` Daniel Kral
  2024-10-31 13:46 ` [pve-devel] [PATCH manager 3/4] fix #5722: ui: api token: allow unprivileged users to create their own api tokens Daniel Kral
  2024-10-31 13:46 ` [pve-devel] [PATCH manager 4/4] ui: api token: allow unprivileged users to modify " Daniel Kral
  2 siblings, 0 replies; 4+ messages in thread
From: Daniel Kral @ 2024-10-31 13:46 UTC (permalink / raw)
  To: pve-devel

In earlier versions of the Proxmox VE WebGUI, a separate TokenView
window could be created from a submenu item in the user's menu in the
Workspace toolbar at the top. This submenu item was dropped in the
commit `2ac41a189a7b6853013d1b07bb9788612620ff29` (ui: drop login-user
fixed token edit due to multi window/z-index issues).

This change removes the unused TokenView window component with all
unused references to the `fixedUser` property, which is always unused as
the only provider for this property was the TokenView window component.

Signed-off-by: Daniel Kral <d.kral@proxmox.com>
---
Please correct me if I'm missing something here, but I couldn't find a
usage of the TokenView window or fixedUser property anywhere else and I
assumed that it won't be needed in the future anymore.

This will make the fix for #5722 clearer to implement.

 www/manager6/dc/TokenEdit.js |  3 +-
 www/manager6/dc/TokenView.js | 62 ------------------------------------
 2 files changed, 1 insertion(+), 64 deletions(-)

diff --git a/www/manager6/dc/TokenEdit.js b/www/manager6/dc/TokenEdit.js
index 3b25c739..d1c8300a 100644
--- a/www/manager6/dc/TokenEdit.js
+++ b/www/manager6/dc/TokenEdit.js
@@ -8,7 +8,6 @@ Ext.define('PVE.dc.TokenEdit', {
 
     isAdd: true,
     isCreate: false,
-    fixedUser: false,
 
     method: 'POST',
     url: '/api2/extjs/access/users/',
@@ -33,7 +32,7 @@ Ext.define('PVE.dc.TokenEdit', {
 	    {
 		xtype: 'pmxDisplayEditField',
 		cbind: {
-		    editable: (get) => get('isCreate') && !get('fixedUser'),
+		    editable: '{isCreate}',
 		},
 		submitValue: true,
 		editConfig: {
diff --git a/www/manager6/dc/TokenView.js b/www/manager6/dc/TokenView.js
index eb910feb..7d6d4274 100644
--- a/www/manager6/dc/TokenView.js
+++ b/www/manager6/dc/TokenView.js
@@ -7,9 +7,6 @@ Ext.define('PVE.dc.TokenView', {
     stateful: true,
     stateId: 'grid-tokens',
 
-    // use fixed user
-    fixedUser: undefined,
-
     initComponent: function() {
 	let me = this;
 
@@ -22,34 +19,6 @@ Ext.define('PVE.dc.TokenView', {
 	});
 
 	let reload = function() {
-	    if (me.fixedUser) {
-		Proxmox.Utils.API2Request({
-		    url: `/access/users/${encodeURIComponent(me.fixedUser)}/token`,
-		    method: 'GET',
-		    failure: function(response, opts) {
-			Proxmox.Utils.setErrorMask(me, response.htmlStatus);
-			me.load_task.delay(me.load_delay);
-		    },
-		    success: function(response, opts) {
-			Proxmox.Utils.setErrorMask(me, false);
-			let result = Ext.decode(response.responseText);
-			let data = result.data || [];
-			let records = [];
-			Ext.Array.each(data, function(token) {
-			    let r = {};
-			    r.id = me.fixedUser + '!' + token.tokenid;
-			    r.userid = me.fixedUser;
-			    r.tokenid = token.tokenid;
-			    r.comment = token.comment;
-			    r.expire = token.expire;
-			    r.privsep = token.privsep === 1;
-			    records.push(r);
-			});
-			store.loadData(records);
-		    },
-		});
-		return;
-	    }
 	    Proxmox.Utils.API2Request({
 		url: '/access/users/?full=1',
 		method: 'GET',
@@ -108,13 +77,8 @@ Ext.define('PVE.dc.TokenView', {
 		disabled: !caps.access['User.Modify'],
 		handler: function(btn, e) {
 		    let data = {};
-		    if (me.fixedUser) {
-			data.userid = me.fixedUser;
-			data.fixedUser = true;
-		    }
 		    let win = Ext.create('PVE.dc.TokenEdit', {
 			isCreate: true,
-			fixedUser: me.fixedUser,
 		    });
 		    win.setValues(data);
 		    win.on('destroy', reload);
@@ -168,7 +132,6 @@ Ext.define('PVE.dc.TokenView', {
 			let realm = Ext.String.htmlEncode(uid.substr(realmIndex));
 			return `${user} <span style='float:right;'>${realm}</span>`;
 		    },
-		    hidden: !!me.fixedUser,
 		    flex: 2,
 		},
 		{
@@ -204,31 +167,6 @@ Ext.define('PVE.dc.TokenView', {
 	    },
 	});
 
-	if (me.fixedUser) {
-	    reload();
-	}
-
 	me.callParent();
     },
 });
-
-Ext.define('PVE.window.TokenView', {
-    extend: 'Ext.window.Window',
-    mixins: ['Proxmox.Mixin.CBind'],
-
-    modal: true,
-    subject: gettext('API Tokens'),
-    scrollable: true,
-    layout: 'fit',
-    width: 800,
-    height: 400,
-    cbind: {
-	title: gettext('API Tokens') + ' - {userid}',
-    },
-    items: [{
-	xtype: 'pveTokenView',
-	cbind: {
-	    fixedUser: '{userid}',
-	},
-    }],
-});
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [pve-devel] [PATCH manager 3/4] fix #5722: ui: api token: allow unprivileged users to create their own api tokens
  2024-10-31 13:46 [pve-devel] [PATCH manager 1/4] ui: api token: remove record context from TokenView add button handler Daniel Kral
  2024-10-31 13:46 ` [pve-devel] [PATCH manager 2/4] ui: api token: remove unused fixed user property Daniel Kral
@ 2024-10-31 13:46 ` Daniel Kral
  2024-10-31 13:46 ` [pve-devel] [PATCH manager 4/4] ui: api token: allow unprivileged users to modify " Daniel Kral
  2 siblings, 0 replies; 4+ messages in thread
From: Daniel Kral @ 2024-10-31 13:46 UTC (permalink / raw)
  To: pve-devel

Since `48a66a12ee19a8d14e92827623aa005c2ab2c06c` (ui: api token:
rewrite), the TokenEdit edit modal is prefilled with the userid, which
is currently logged in.

The selector items in Proxmox.form.UserSelector used in the TokenEdit
component are filled from the `/access/users` API endpoint, therefore
the user selection is restricted to which the user has "Sys.Audit" or
"User.Modify" permissions and the current authenticated user themselves.

Therefore, the button can be accessible to unprivileged users as well.
This change allows users without the "User.Modify" permission to add API
tokens, since this is already allowed by the API endpoint
`/access/users/{userid}/token/{tokenid}`.

Signed-off-by: Daniel Kral <d.kral@proxmox.com>
---
 www/manager6/dc/TokenView.js | 1 -
 1 file changed, 1 deletion(-)

diff --git a/www/manager6/dc/TokenView.js b/www/manager6/dc/TokenView.js
index 7d6d4274..d275a1c5 100644
--- a/www/manager6/dc/TokenView.js
+++ b/www/manager6/dc/TokenView.js
@@ -74,7 +74,6 @@ Ext.define('PVE.dc.TokenView', {
         let tbar = [
             {
 		text: gettext('Add'),
-		disabled: !caps.access['User.Modify'],
 		handler: function(btn, e) {
 		    let data = {};
 		    let win = Ext.create('PVE.dc.TokenEdit', {
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [pve-devel] [PATCH manager 4/4] ui: api token: allow unprivileged users to modify their own api tokens
  2024-10-31 13:46 [pve-devel] [PATCH manager 1/4] ui: api token: remove record context from TokenView add button handler Daniel Kral
  2024-10-31 13:46 ` [pve-devel] [PATCH manager 2/4] ui: api token: remove unused fixed user property Daniel Kral
  2024-10-31 13:46 ` [pve-devel] [PATCH manager 3/4] fix #5722: ui: api token: allow unprivileged users to create their own api tokens Daniel Kral
@ 2024-10-31 13:46 ` Daniel Kral
  2 siblings, 0 replies; 4+ messages in thread
From: Daniel Kral @ 2024-10-31 13:46 UTC (permalink / raw)
  To: pve-devel

Allows unprivileged users to edit and remove their own API tokens, as
this is already allowed by the respective PUT and DELETE methods on the
API endpoint `/access/users/{userid}/token/{tokenid}`.

Signed-off-by: Daniel Kral <d.kral@proxmox.com>
---
As this cannot be seen in the diff directly: The run_editor is also used
when double-clicking the record item (in addition when clicking the Edit
button while the record item is selected).

This has not been requested in the BugZilla #5722, but has similar
intentions and made sense to include into this patch series as well.

 www/manager6/dc/TokenView.js | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/www/manager6/dc/TokenView.js b/www/manager6/dc/TokenView.js
index d275a1c5..f71ab905 100644
--- a/www/manager6/dc/TokenView.js
+++ b/www/manager6/dc/TokenView.js
@@ -57,8 +57,12 @@ Ext.define('PVE.dc.TokenView', {
 	    return `/access/users/${uid}/token/${tid}`;
 	};
 
+	let hasTokenCRUDPermissions = function(userid) {
+	    return userid === Proxmox.UserName || !!caps.access['User.Modify'];
+	};
+
 	let run_editor = function(rec) {
-	    if (!caps.access['User.Modify']) {
+	    if (!hasTokenCRUDPermissions(rec.data.userid)) {
 		return;
 	    }
 
@@ -88,14 +92,14 @@ Ext.define('PVE.dc.TokenView', {
 		xtype: 'proxmoxButton',
 		text: gettext('Edit'),
 		disabled: true,
-		enableFn: (rec) => !!caps.access['User.Modify'],
+		enableFn: (rec) => hasTokenCRUDPermissions(rec.data.userid),
 		selModel: sm,
 		handler: (btn, e, rec) => run_editor(rec),
 	    },
 	    {
 		xtype: 'proxmoxStdRemoveButton',
 		selModel: sm,
-		enableFn: (rec) => !!caps.access['User.Modify'],
+		enableFn: (rec) => hasTokenCRUDPermissions(rec.data.userid),
 		callback: reload,
 		getUrl: urlFromRecord,
 	    },
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2024-10-31 13:47 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-10-31 13:46 [pve-devel] [PATCH manager 1/4] ui: api token: remove record context from TokenView add button handler Daniel Kral
2024-10-31 13:46 ` [pve-devel] [PATCH manager 2/4] ui: api token: remove unused fixed user property Daniel Kral
2024-10-31 13:46 ` [pve-devel] [PATCH manager 3/4] fix #5722: ui: api token: allow unprivileged users to create their own api tokens Daniel Kral
2024-10-31 13:46 ` [pve-devel] [PATCH manager 4/4] ui: api token: allow unprivileged users to modify " Daniel Kral

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal