From: Fiona Ebner <f.ebner@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
Lukas Wagner <l.wagner@proxmox.com>
Subject: Re: [pve-devel] [PATCH manager] ui: acl add: show warning if root@pam is selected
Date: Tue, 10 Oct 2023 14:10:19 +0200 [thread overview]
Message-ID: <59c6e639-1bcd-250d-f53f-3fc55b7f51b6@proxmox.com> (raw)
In-Reply-To: <20230726134145.700213-1-l.wagner@proxmox.com>
Am 26.07.23 um 15:41 schrieb Lukas Wagner:
> Currently, users are able to add ACL entries for the root@pam user.
> Since this user always has full permissions, no entry in the ACL
> tree will be saved, and consequently no new entry shows up in the UI
> after pressing 'Add' in the dialog. This can be irritating if the
> user does not know about this 'implementation detail'.
>
Should we filter out the root@pam user from the selection dropdown
altogether? Or maybe disable the Add button when root@pam is selected
(and reword the warning appropriately)?
> This commit adds a little warning that pops up if root@pam is
> selected:
>
> 'root@pam always has full permissions. No entry will be added.'
>
> The same problem also exists for API token permissions. Here it is
> not really easy to add the warning though, since we do not know if
> the token has separated privileges enable or not.
>
It seems we do have that information available as a result of the
/access/users?full=1 API call, or?
> Signed-off-by: Lukas Wagner <l.wagner@proxmox.com>
> ---
> www/manager6/dc/ACLView.js | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
>
> diff --git a/www/manager6/dc/ACLView.js b/www/manager6/dc/ACLView.js
> index 79f900cd..ec81a487 100644
> --- a/www/manager6/dc/ACLView.js
> +++ b/www/manager6/dc/ACLView.js
> @@ -35,6 +35,20 @@ Ext.define('PVE.dc.ACLAdd', {
> xtype: 'pmxUserSelector',
> name: 'users',
> fieldLabel: gettext('User'),
> + listeners: {
> + change: function(field, newVal) {
> + this.nextSibling('displayfield[reference=root-selected-warning]')
> + .setVisible(newVal === 'root@pam');
> + }
eslint complains about a missing trailing comma here
> + },
> + });
> + items.push({
> + xtype: 'displayfield',
> + reference: 'root-selected-warning',
> + userCls: 'pmx-hint',
> + hidden: true,
> + value: '\'root@pam\' ' +
> + gettext('always has full permissions. No entry will be added.'),
> });
> } else if (me.aclType === 'token') {
> me.subject = gettext("API Token Permission");
next prev parent reply other threads:[~2023-10-10 12:10 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-26 13:41 Lukas Wagner
2023-10-10 12:10 ` Fiona Ebner [this message]
2023-10-10 12:40 ` Lukas Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=59c6e639-1bcd-250d-f53f-3fc55b7f51b6@proxmox.com \
--to=f.ebner@proxmox.com \
--cc=l.wagner@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox