[pve-devel] r5546 - in pve-manager/pve2: . lib/PVE

svn-commits at proxmox.com svn-commits at proxmox.com
Wed Feb 16 08:37:24 CET 2011


Author: dietmar
Date: 2011-02-16 08:37:24 +0100 (Wed, 16 Feb 2011)
New Revision: 5546

Modified:
   pve-manager/pve2/ChangeLog
   pve-manager/pve2/lib/PVE/REST.pm
Log:
factor out method to check access permissions.


Modified: pve-manager/pve2/ChangeLog
===================================================================
--- pve-manager/pve2/ChangeLog	2011-02-16 07:15:58 UTC (rev 5545)
+++ pve-manager/pve2/ChangeLog	2011-02-16 07:37:24 UTC (rev 5546)
@@ -2,6 +2,7 @@
 
 	* lib/PVE/REST.pm (rest_handler): use new PVE::RPCEnvironment
 	methods instead on ACLCache.
+	(check_permissions): factor out method to check access permissions.
 
 2011-02-15  Proxmox Support Team  <support at proxmox.com>
 

Modified: pve-manager/pve2/lib/PVE/REST.pm
===================================================================
--- pve-manager/pve2/lib/PVE/REST.pm	2011-02-16 07:15:58 UTC (rev 5545)
+++ pve-manager/pve2/lib/PVE/REST.pm	2011-02-16 07:37:24 UTC (rev 5546)
@@ -263,6 +263,30 @@
     return OK;
 }
 
+my $check_permissions = sub {
+    my ($rpcenv, $perm, $username, $param) = @_;
+
+    return 1 if $username eq 'root';
+
+    die "permission check failed (user != root)\n" if !$perm;
+
+    return 1 if $perm->{user} && $perm->{user} eq 'all';
+
+    return 1 if $perm->{user} && $perm->{user} eq 'arg' && 
+	$username eq $param->{username};
+
+    if ($perm->{path} && $perm->{privs}) {
+	my $path = PVE::Tools::template_replace($perm->{path}, $param);
+	if (!$rpcenv->check($username, $path, $perm->{privs})) {
+	    my $privstr = join(',', @{$perm->{privs}});
+	    die "permission check failed ($path, $privstr)\n";
+	}
+	return 1;
+    }
+
+    die "permission check failed\n";
+};
+
 sub rest_handler {
     my ($method, $abs_uri, $rel_uri, $ticket, $params) = @_;
 
@@ -300,7 +324,7 @@
 	 
 	if (defined($params->{path}) || defined($params->{permissions})) {
 	    my @privs = PVE::Tools::split_list($params->{permissions});
-	    $path = PVE::AccessControl::normalize_path($params->{path});
+	    my $path = PVE::AccessControl::normalize_path($params->{path});
 
 	    if (!($path && scalar(@privs) && $rpcenv->check($user, $path, \@privs))) {
 		return { 
@@ -342,19 +366,12 @@
     }
 
     # check access permissions
-    if (my $perm = $info->{permissions}) {
-	if (!$rpcenv->check($username, $perm->{path}, $perm->{privs})) {
-	    my $privstr = join(',', @{$perm->{privs}});
-	    my $path = PVE::Tools::template_replace($perm->{path}, $uri_param);
-	    return { 
-		status => HTTP_FORBIDDEN, 
-		message => "permission check failed ($path, $privstr)",
-	    };
-	}
-    } else {
-	if ($username ne 'root') {
-	    return { status => HTTP_FORBIDDEN };
-	}
+    eval { &$check_permissions($rpcenv, $info->{permissions}, $username, $uri_param); };
+    if (my $err = $@) {
+	return { 
+	    status => HTTP_FORBIDDEN, 
+	    message => $err,
+	};
     }
 
     if ($info->{proxyto}) {



More information about the pve-devel mailing list