[pve-devel] [PATCH manager] fix #474: allow transfer from container/vms
Fiona Ebner
f.ebner at proxmox.com
Thu Aug 10 09:16:34 CEST 2023
Am 09.08.23 um 16:20 schrieb Philipp Hufnagl:
> On 8/9/23 13:32, Fiona Ebner wrote:
>
>> The permission for the original pool should be checked here?! Or is
>> that already done somewhere?
>
> The permission of the original pool does not matter.
But it should. After all, the operation is modifying the original pool,
so the user better have an appropriate permission to do so.
> The permission of the VM is important
> (maybe the original pool granting the user permission on the VM).
> Hovever I tested it with granting the
> user merely audit permissions on the VM and admin permissions on the
> target pool and still got the
> correct permission error so I don't think the permission checks have to
> be modified at all
>
Currently, Permissions.Modify|VM.Allocate on the VM and Pool.Allocate on
the target pool would be enough to "steal" the guest, no permissions
required on the original pool at all. IMHO, the user really should have
a Pool.Allocate on the original pool as well.
Since I noticed it in v3: we usually use "api:" and "ui:" as prefixes
rather than "backend:" and "frontend:". Would be nice if you could use
them too for consistency.
More information about the pve-devel
mailing list