[pdm-devel] [PATCH datacenter-manager/proxmox/yew-comp v3 00/10] add support for checking acl permissions in (yew) front-ends

Shannon Sterz s.sterz at proxmox.com
Thu Nov 13 15:27:04 CET 2025 

On Thu Nov 13, 2025 at 2:58 PM CET, Fabian Grünbichler wrote:
> On November 6, 2025 3:38 pm, Shannon Sterz wrote:
>> this patch series adds support for querying acl entries from the
>> front-end. it also makes it possible to reactively render ui components
>> depending on the user's privileges and refreshes this information every
>> time a new ticket is set.
>>
>> the first four patches make it possible to use the AclTree by itself in
>> the ui. first by creating a new feature that exposes only it and some
>> types to dependent crates. then some functions that basically just query
>> the AclTree are moved to the AclTree itself to make it easier to re-use
>> them. the fourth patch derives Debug and PartialEq on the AclTree and
>> AclTreeNode to make it easier to handle these types in the ui. finally
>> the last commit allows to query all of a user's acl entries via the
>> API_METHOD_READ_ACL endpoint.
>
> high-level question:
>
> the actual privilege checks in the backend use the full set of ACLs. the
> frontend can only ever see a subset of ACLs, since giving it all ACLs
> would leak a lot of sensitive information.
>
> doesn't that mean that the frontend will make wrong decisions in some
> scenarios?
>
> e.g., the backend currently doesn't return any group ACLs if you do
> exact filtering. but group ACLs can influence the ACL resolution

as discussed off list, that'd be true if the filter in
`extract_acl_node_data` isn't adapted. i'll add a fixme comment to the
next version of this series for now.

how exactely to takle this will depend on how we implement groups:

* does a user know that they are part of a group?
* if disclosing such membership is fine, is it fine to disclose what the
  group has access to in all cases? e.g. what if the user is part of a
  group, but certain acl entries are then restricted on top via a
  NoAccess privilege or similar?
* will looking up whether the user is part of a group be handled by the
  acl tree directly? (this is at least indicated by comments already
  present in `AclTreeNode::extract_group_roles()`)

most of these are difficult to answer without actually tackling an
implementation of the group feature. not entirely sure how i can address
this here beside adding that `fixme` comment.

i suppose i could also try to extract the roles with `AclTree::roles`,
which extracts the roles via `AclTreeNode::extract_roles` which is
already somewhat opinionated about how groups should work here. not sure
what is ideal here.

>> the next two patches first add an AclContext and AclContextProvider
>> implementation to proxmox-yew-comp. these allow applications to provide
>> acl information that components can hook into and get reactively
>> re-rendered. it also triggers reloading the acl information every time a
>> user logs in or a ticket gets refreshed.
>>
>> lastly, proxmox-datacenter-manager is adapted to use this new
>> functionality. the seventh commit moves the AccessControlConfig to the
>> shared api types crate, so we can re-use it in the front-end. then an
>> AclContextProvider is added to the main ui component. this allows
>> components to retrieve said AclContext and use it to conditionally
>> render ui components. the last commit adds just such functionality to
>> the notes section of the pdm ui.
>>
>> Follow-up
>> ---------
>>
>> if this series is applied, more ui components will need to be hooked
>> into the context to more widely use this functionality accross the
>> application.
>>
>> Changelog
>> ---------
>>
>> note that there was already a v2 [1] of this series, but this was a mistake
>> and should be considered a v1. sorry for the confusion.
>>
>> changes since v2:
>>
>> - combine impl only functions into private modules and impl blocks to
>>   more cleanly separate them out (thanks @ Wolfgang Bumiller)
>> - add a small clean up commit for in-lining format string variables
>>
>> changes since v1:
>>
>> - move removing a use line to the right commit (thanks @ Dominik Csapak)
>> - instead of adapting the NodesView, simply avoid setting an on_submit
>>   callback if the user doesn't have the permissions (thanks @ Dominik
>>   Csapak)
>>
>>
>> proxmox:
>>
>> Shannon Sterz (5):
>>   access-control: add acl feature to only expose types and the AclTree
>>   access-control: use format strings where possible
>>   access-control: move functions querying privileges to the AclTree
>>   access-control: derive Debug and PartialEq on AclTree and AclTreeNode
>>   access-control: allow reading all acls of the current authid
>>
>>  proxmox-access-control/Cargo.toml             |   5 +-
>>  proxmox-access-control/src/acl.rs             | 509 +++++++++++-------
>>  proxmox-access-control/src/api/acl.rs         |  37 +-
>>  .../src/cached_user_info.rs                   |  91 +---
>>  proxmox-access-control/src/init.rs            |  91 ++--
>>  proxmox-access-control/src/lib.rs             |   4 +-
>>  proxmox-access-control/src/token_shadow.rs    |   2 +-
>>  proxmox-access-control/src/user.rs            |   3 +-
>>  8 files changed, 415 insertions(+), 327 deletions(-)
>>
>>
>> proxmox-yew-comp:
>>
>> Shannon Sterz (2):
>>   acl_context: add AclContext and AclContextProvider
>>   http_helpers: reload LocalAclTree when logging in or refreshing a
>>     ticket
>>
>>  Cargo.toml          |   2 +-
>>  src/acl_context.rs  | 204 ++++++++++++++++++++++++++++++++++++++++++++
>>  src/http_helpers.rs |   5 ++
>>  src/lib.rs          |   3 +
>>  4 files changed, 213 insertions(+), 1 deletion(-)
>>  create mode 100644 src/acl_context.rs
>>
>>
>> proxmox-datacenter-manager:
>>
>> Shannon Sterz (3):
>>   server/api-types: move AccessControlConfig to shared api types
>>   ui: add an AclContext via the AclContextProvider to the main app ui
>>   ui: main menu: use the AclContext to hide the Notes if appropriate
>>
>>  lib/pdm-api-types/Cargo.toml |   1 +
>>  lib/pdm-api-types/src/acl.rs | 158 ++++++++++++++++++++++++++++++++++
>>  server/src/acl.rs            | 162 +----------------------------------
>>  ui/Cargo.toml                |   1 +
>>  ui/src/main.rs               |  14 ++-
>>  ui/src/main_menu.rs          |  68 ++++++++++-----
>>  6 files changed, 221 insertions(+), 183 deletions(-)
>>
>>
>> Summary over all repositories:
>>   18 files changed, 849 insertions(+), 511 deletions(-)
>>
>> --
>> Generated by git-murpp 0.8.1
>>
>>
>> _______________________________________________
>> pdm-devel mailing list
>> pdm-devel at lists.proxmox.com
>> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel
>>
>>
>>
>
>
> _______________________________________________
> pdm-devel mailing list
> pdm-devel at lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel

More information about the pdm-devel mailing list