[pbs-devel] applied: [PATCH proxmox-backup v2 3/8] api2/tape/restore: factor out check_datastore_privs

Dietmar Maurer dietmar at proxmox.com
Thu May 6 08:01:51 CEST 2021 

applied

On 5/5/21 12:09 PM, Dominik Csapak wrote:
> so that we can reuse it
>
> Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
> ---
>   src/api2/tape/restore.rs | 39 +++++++++++++++++++++++++--------------
>   1 file changed, 25 insertions(+), 14 deletions(-)
>
> diff --git a/src/api2/tape/restore.rs b/src/api2/tape/restore.rs
> index 1dd6ba11..b7bf6670 100644
> --- a/src/api2/tape/restore.rs
> +++ b/src/api2/tape/restore.rs
> @@ -157,6 +157,30 @@ impl DataStoreMap {
>       }
>   }
>   
> +fn check_datastore_privs(
> +    user_info: &CachedUserInfo,
> +    store: &str,
> +    auth_id: &Authid,
> +    owner: &Option<Authid>,
> +) -> Result<(), Error> {
> +    let privs = user_info.lookup_privs(&auth_id, &["datastore", &store]);
> +    if (privs & PRIV_DATASTORE_BACKUP) == 0 {
> +        bail!("no permissions on /datastore/{}", store);
> +    }
> +
> +    if let Some(ref owner) = owner {
> +        let correct_owner = owner == auth_id
> +            || (owner.is_token() && !auth_id.is_token() && owner.user() == auth_id.user());
> +
> +        // same permission as changing ownership after syncing
> +        if !correct_owner && privs & PRIV_DATASTORE_MODIFY == 0 {
> +            bail!("no permission to restore as '{}'", owner);
> +        }
> +    }
> +
> +    Ok(())
> +}
> +
>   pub const ROUTER: Router = Router::new().post(&API_METHOD_RESTORE);
>   
>   #[api(
> @@ -212,20 +236,7 @@ pub fn restore(
>       }
>   
>       for store in used_datastores.iter() {
> -        let privs = user_info.lookup_privs(&auth_id, &["datastore", &store]);
> -        if (privs & PRIV_DATASTORE_BACKUP) == 0 {
> -            bail!("no permissions on /datastore/{}", store);
> -        }
> -
> -        if let Some(ref owner) = owner {
> -            let correct_owner = owner == &auth_id
> -                || (owner.is_token() && !auth_id.is_token() && owner.user() == auth_id.user());
> -
> -            // same permission as changing ownership after syncing
> -            if !correct_owner && privs & PRIV_DATASTORE_MODIFY == 0 {
> -                bail!("no permission to restore as '{}'", owner);
> -            }
> -        }
> +        check_datastore_privs(&user_info, &store, &auth_id, &owner)?;
>       }
>   
>       let privs = user_info.lookup_privs(&auth_id, &["tape", "drive", &drive]);

More information about the pbs-devel mailing list