[pve-devel] r5546 - in pve-manager/pve2: . lib/PVE
svn-commits at proxmox.com
svn-commits at proxmox.com
Wed Feb 16 08:37:24 CET 2011
Author: dietmar
Date: 2011-02-16 08:37:24 +0100 (Wed, 16 Feb 2011)
New Revision: 5546
Modified:
pve-manager/pve2/ChangeLog
pve-manager/pve2/lib/PVE/REST.pm
Log:
factor out method to check access permissions.
Modified: pve-manager/pve2/ChangeLog
===================================================================
--- pve-manager/pve2/ChangeLog 2011-02-16 07:15:58 UTC (rev 5545)
+++ pve-manager/pve2/ChangeLog 2011-02-16 07:37:24 UTC (rev 5546)
@@ -2,6 +2,7 @@
* lib/PVE/REST.pm (rest_handler): use new PVE::RPCEnvironment
methods instead on ACLCache.
+ (check_permissions): factor out method to check access permissions.
2011-02-15 Proxmox Support Team <support at proxmox.com>
Modified: pve-manager/pve2/lib/PVE/REST.pm
===================================================================
--- pve-manager/pve2/lib/PVE/REST.pm 2011-02-16 07:15:58 UTC (rev 5545)
+++ pve-manager/pve2/lib/PVE/REST.pm 2011-02-16 07:37:24 UTC (rev 5546)
@@ -263,6 +263,30 @@
return OK;
}
+my $check_permissions = sub {
+ my ($rpcenv, $perm, $username, $param) = @_;
+
+ return 1 if $username eq 'root';
+
+ die "permission check failed (user != root)\n" if !$perm;
+
+ return 1 if $perm->{user} && $perm->{user} eq 'all';
+
+ return 1 if $perm->{user} && $perm->{user} eq 'arg' &&
+ $username eq $param->{username};
+
+ if ($perm->{path} && $perm->{privs}) {
+ my $path = PVE::Tools::template_replace($perm->{path}, $param);
+ if (!$rpcenv->check($username, $path, $perm->{privs})) {
+ my $privstr = join(',', @{$perm->{privs}});
+ die "permission check failed ($path, $privstr)\n";
+ }
+ return 1;
+ }
+
+ die "permission check failed\n";
+};
+
sub rest_handler {
my ($method, $abs_uri, $rel_uri, $ticket, $params) = @_;
@@ -300,7 +324,7 @@
if (defined($params->{path}) || defined($params->{permissions})) {
my @privs = PVE::Tools::split_list($params->{permissions});
- $path = PVE::AccessControl::normalize_path($params->{path});
+ my $path = PVE::AccessControl::normalize_path($params->{path});
if (!($path && scalar(@privs) && $rpcenv->check($user, $path, \@privs))) {
return {
@@ -342,19 +366,12 @@
}
# check access permissions
- if (my $perm = $info->{permissions}) {
- if (!$rpcenv->check($username, $perm->{path}, $perm->{privs})) {
- my $privstr = join(',', @{$perm->{privs}});
- my $path = PVE::Tools::template_replace($perm->{path}, $uri_param);
- return {
- status => HTTP_FORBIDDEN,
- message => "permission check failed ($path, $privstr)",
- };
- }
- } else {
- if ($username ne 'root') {
- return { status => HTTP_FORBIDDEN };
- }
+ eval { &$check_permissions($rpcenv, $info->{permissions}, $username, $uri_param); };
+ if (my $err = $@) {
+ return {
+ status => HTTP_FORBIDDEN,
+ message => $err,
+ };
}
if ($info->{proxyto}) {
More information about the pve-devel
mailing list