[pbs-devel] [PATCH v5 proxmox-backup 15/31] api: config: factor out sync job owner check

Fabian Grünbichler f.gruenbichler at proxmox.com
Fri Oct 25 12:16:29 CEST 2024 

On October 18, 2024 10:42 am, Christian Ebner wrote:
> Move the sync job owner check to its own helper function, for it to
> be reused for the owner check for sync jobs in push direction.
> 
> No functional change intended.
> 
> Signed-off-by: Christian Ebner <c.ebner at proxmox.com>
> ---
> changes since version 4:
> - no changes
> 
> changes since version 3:
> - not present in previous version
> 
>  src/api2/config/sync.rs | 22 ++++++++++++----------
>  1 file changed, 12 insertions(+), 10 deletions(-)
> 
> diff --git a/src/api2/config/sync.rs b/src/api2/config/sync.rs
> index ad6ba0c85..aed46aeb0 100644
> --- a/src/api2/config/sync.rs
> +++ b/src/api2/config/sync.rs
> @@ -35,6 +35,17 @@ pub fn check_sync_job_read_access(
>      }
>  }
>  
> +fn is_correct_owner(auth_id: &Authid, job: &SyncJobConfig) -> bool {
> +    match job.owner {
> +        Some(ref owner) => {
> +            owner == auth_id
> +                || (owner.is_token() && !auth_id.is_token() && owner.user() == auth_id.user())

nit: this part here is pbs_datastore::datastore::check_backup_owner(owner, authid).is_ok()

> +        }
> +        // default sync owner
> +        None => auth_id == Authid::root_auth_id(),
> +    }
> +}
> +
>  /// checks whether user can run the corresponding pull job
>  ///
>  /// namespace creation/deletion ACL and backup group ownership checks happen in the pull code directly.
> @@ -55,17 +66,8 @@ pub fn check_sync_job_modify_access(
>          }
>      }
>  
> -    let correct_owner = match job.owner {
> -        Some(ref owner) => {
> -            owner == auth_id
> -                || (owner.is_token() && !auth_id.is_token() && owner.user() == auth_id.user())
> -        }
> -        // default sync owner
> -        None => auth_id == Authid::root_auth_id(),
> -    };
> -
>      // same permission as changing ownership after syncing
> -    if !correct_owner && ns_anchor_privs & PRIV_DATASTORE_MODIFY == 0 {
> +    if !is_correct_owner(auth_id, job) && ns_anchor_privs & PRIV_DATASTORE_MODIFY == 0 {
>          return false;
>      }
>  
> -- 
> 2.39.5
> 
> 
> 
> _______________________________________________
> pbs-devel mailing list
> pbs-devel at lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
> 
> 
>

More information about the pbs-devel mailing list