[pdm-devel] [PATCH proxmox-datacenter-manager 6/9] api: sdn: add granular permissions for vnets
Gabriel Goller
g.goller at proxmox.com
Wed Nov 12 14:20:23 CET 2025
Add granular permission for sdn vnets. So you can specify
`/resource/{remote}/sdn/vnet/{vnet-name}`.
Signed-off-by: Gabriel Goller <g.goller at proxmox.com>
---
server/src/api/sdn/vnets.rs | 22 +++++++++++++++-------
1 file changed, 15 insertions(+), 7 deletions(-)
diff --git a/server/src/api/sdn/vnets.rs b/server/src/api/sdn/vnets.rs
index ebd28742aa25..3c4397072f92 100644
--- a/server/src/api/sdn/vnets.rs
+++ b/server/src/api/sdn/vnets.rs
@@ -57,7 +57,7 @@ pub const ROUTER: Router = Router::new()
permission: &Permission::Anybody,
description: "The user needs to have at least the `Resource.Audit` privilege under `/resource`.
Only vnets from remotes for which the user has `Resource.Audit` on `/resource/{remote_name}`
- will be included in the returned list."
+ and `/resource/{remote_name}/sdn/vnet/{vnet}` will be included in the returned list."
}
)]
/// Query VNets of PVE remotes with optional filtering options
@@ -110,12 +110,20 @@ async fn list_vnets(
Ok(remote_result) => {
for (node, node_result) in remote_result.node_results.into_iter() {
match node_result {
- Ok(NodeResults { data, .. }) => {
- vnets.extend(data.into_iter().map(|vnet| ListVnet {
- remote: remote.clone(),
- vnet,
- }))
- }
+ Ok(NodeResults { data, .. }) => vnets.extend(
+ data.into_iter()
+ .filter(|vnet| {
+ user_info.lookup_privs(
+ &auth_id,
+ &["resource", &remote, "sdn", "vnet", &vnet.vnet],
+ ) & PRIV_RESOURCE_AUDIT
+ != 0
+ })
+ .map(|vnet| ListVnet {
+ remote: remote.clone(),
+ vnet,
+ }),
+ ),
Err(error) => {
log::error!(
"could not fetch vnets from remote {} node {}: {error:#}",
--
2.47.3
More information about the pdm-devel
mailing list