From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 2DB4C1FF16B for ; Thu, 31 Oct 2024 15:06:55 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id D0262B21F; Thu, 31 Oct 2024 15:06:58 +0100 (CET) From: Daniel Kral To: pve-devel@lists.proxmox.com Date: Thu, 31 Oct 2024 15:06:22 +0100 Message-Id: <20241031140622.153169-1-d.kral@proxmox.com> X-Mailer: git-send-email 2.39.5 MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.002 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pve-devel] [PATCH manager] ui: cloudinit: disallow unprivileged users to regenerate images X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" Disables the "Regenerate image" button in the VM CloudInit tab for users, which lack the necessary permissions to do so, which are "VM.Config.CloudInit" and "VM.Config.CDROM". This is checked by the VM config update API endpoint in qemu-server, when ejecting and re-adding CloudInit drive images. This is consistent with the permissions restricting access to adding CloudInit drives in the Hardware tab. This is a cosmetic change as the VM config update API endpoint would fail because of insufficient permissions anyway. Signed-off-by: Daniel Kral --- I stumbled upon this while checking on BugZilla #3105 and trying to use the "Regenerate image" button with a user, that had only VM.Audit and VM.Config.CloudInit permissions. where the user missed the "VM.Config.CDROM" permission and the action couldn't be completed. www/manager6/qemu/CloudInit.js | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/www/manager6/qemu/CloudInit.js b/www/manager6/qemu/CloudInit.js index 49519726..aeef8c15 100644 --- a/www/manager6/qemu/CloudInit.js +++ b/www/manager6/qemu/CloudInit.js @@ -142,7 +142,10 @@ Ext.define('PVE.qemu.CloudInit', { } }); - me.down('#savebtn').setDisabled(!found); + let caps = Ext.state.Manager.get('GuiCap'); + let canSaveImage = !!caps.vms['VM.Config.CDROM'] && !!caps.vms['VM.Config.Cloudinit']; + me.down('#savebtn').setDisabled(!found || !canSaveImage); + me.setDisabled(!found); if (!found) { me.getView().mask(gettext('No CloudInit Drive found'), ['pve-static-mask']); -- 2.39.5 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel