[pbs-devel] [PATCH proxmox-backup 1/6] backup: hierarchy: add new can_access_any_namespace_in_range helper
Dominik Csapak
d.csapak at proxmox.com
Fri Oct 3 10:50:34 CEST 2025
sometimes we need to check the permissions in a range from a starting
namespace with a certain depth.
Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
src/backup/hierarchy.rs | 27 ++++++++++++++++++++-------
1 file changed, 20 insertions(+), 7 deletions(-)
diff --git a/src/backup/hierarchy.rs b/src/backup/hierarchy.rs
index 8dd71fcf7..438bc3ee3 100644
--- a/src/backup/hierarchy.rs
+++ b/src/backup/hierarchy.rs
@@ -68,19 +68,23 @@ pub fn check_ns_privs_full(
);
}
-pub fn can_access_any_namespace(
+/// Checks if the given user has read/access rights on any namespace on the given datastore,
+/// beginning with `start_ns` up to `max_depth` below.
+pub fn can_access_any_namespace_in_range(
store: Arc<DataStore>,
auth_id: &Authid,
user_info: &CachedUserInfo,
+ start_ns: Option<BackupNamespace>,
+ max_depth: Option<usize>,
) -> bool {
+ let ns = start_ns.unwrap_or_default();
// NOTE: traversing the datastore could be avoided if we had an "ACL tree: is there any priv
// below /datastore/{store}" helper
- let mut iter =
- if let Ok(iter) = store.recursive_iter_backup_ns_ok(BackupNamespace::root(), None) {
- iter
- } else {
- return false;
- };
+ let mut iter = if let Ok(iter) = store.recursive_iter_backup_ns_ok(ns, max_depth) {
+ iter
+ } else {
+ return false;
+ };
let wanted =
PRIV_DATASTORE_AUDIT | PRIV_DATASTORE_MODIFY | PRIV_DATASTORE_READ | PRIV_DATASTORE_BACKUP;
let name = store.name();
@@ -90,6 +94,15 @@ pub fn can_access_any_namespace(
})
}
+/// Checks if the given user has read/access rights on any namespace on given datastore
+pub fn can_access_any_namespace(
+ store: Arc<DataStore>,
+ auth_id: &Authid,
+ user_info: &CachedUserInfo,
+) -> bool {
+ can_access_any_namespace_in_range(store, auth_id, user_info, None, None)
+}
+
/// A privilege aware iterator for all backup groups in all Namespaces below an anchor namespace,
/// most often that will be the `BackupNamespace::root()` one.
///
--
2.47.3
More information about the pbs-devel
mailing list