[pdm-devel] [PATCH datacenter-manager/proxmox/yew-comp v3 00/10] add support for checking acl permissions in (yew) front-ends

[Shannon Sterz]

On Thu Nov 13, 2025 at 11:21 AM CET, Lukas Wagner wrote:
> On Thu Nov 6, 2025 at 3:38 PM CET, Shannon Sterz wrote:
>> this patch series adds support for querying acl entries from the
>> front-end. it also makes it possible to reactively render ui components
>> depending on the user's privileges and refreshes this information every
>> time a new ticket is set.
>>
>> the first four patches make it possible to use the AclTree by itself in
>> the ui. first by creating a new feature that exposes only it and some
>> types to dependent crates. then some functions that basically just query
>> the AclTree are moved to the AclTree itself to make it easier to re-use
>> them. the fourth patch derives Debug and PartialEq on the AclTree and
>> AclTreeNode to make it easier to handle these types in the ui. finally
>> the last commit allows to query all of a user's acl entries via the
>> API_METHOD_READ_ACL endpoint.
>>
>> the next two patches first add an AclContext and AclContextProvider
>> implementation to proxmox-yew-comp. these allow applications to provide
>> acl information that components can hook into and get reactively
>> re-rendered. it also triggers reloading the acl information every time a
>> user logs in or a ticket gets refreshed.
>>
>> lastly, proxmox-datacenter-manager is adapted to use this new
>> functionality. the seventh commit moves the AccessControlConfig to the
>> shared api types crate, so we can re-use it in the front-end. then an
>> AclContextProvider is added to the main ui component. this allows
>> components to retrieve said AclContext and use it to conditionally
>> render ui components. the last commit adds just such functionality to
>> the notes section of the pdm ui.
>>
>> Follow-up
>> ---------
>>
>> if this series is applied, more ui components will need to be hooked
>> into the context to more widely use this functionality accross the
>> application.
>>
>
> Looks pretty good to me. Went through the code, but saw nothing of
> concern. Also quickly tested this on the latest master. Created a new
> user and verified that it only sees the "Notes" entry if the correct
> permissions are set.
>
> The following log message is shown in the login mask, I think we could
> just silently ignore this error, as this is nothing of
> concern, as far as I can tell?
>
>   ERROR: [...] proxmox-yew-comp/src/acl_context.rs:136 Could not get current Authid, please login first.

yeah that happens in that split second that the ui takes to realize you
aren't actually logged in. i suppose we can make that a debug log, it
should only really be a problem if a developer inserts the auth context
provider in the wrong place.

> Reviewed-by: Lukas Wagner <l.wagner at proxmox.com>
> Tested-by: Lukas Wagner <l.wagner at proxmox.com>