[pve-devel] r5552 - in pve-manager/pve2/lib/PVE: . API2
svn-commits at proxmox.com
svn-commits at proxmox.com
Wed Feb 16 11:07:22 CET 2011
Author: dietmar
Date: 2011-02-16 11:07:22 +0100 (Wed, 16 Feb 2011)
New Revision: 5552
Modified:
pve-manager/pve2/lib/PVE/API2.pm
pve-manager/pve2/lib/PVE/API2/Cluster.pm
pve-manager/pve2/lib/PVE/REST.pm
Log:
check access permissions
Modified: pve-manager/pve2/lib/PVE/API2/Cluster.pm
===================================================================
--- pve-manager/pve2/lib/PVE/API2/Cluster.pm 2011-02-16 09:59:11 UTC (rev 5551)
+++ pve-manager/pve2/lib/PVE/API2/Cluster.pm 2011-02-16 10:07:22 UTC (rev 5552)
@@ -22,6 +22,7 @@
path => '',
method => 'GET',
description => "Cluster index.",
+ permissions => { user => 'all' },
parameters => {
additionalProperties => 0,
properties => {},
@@ -51,6 +52,7 @@
path => 'log',
method => 'GET',
description => "Read cluster log",
+ permissions => { user => 'all' },
parameters => {
additionalProperties => 0,
properties => {
@@ -89,6 +91,7 @@
name => 'storage',
path => 'storage',
method => 'GET',
+ permissions => { user => 'all' },
description => "Cluster wide storage status.",
parameters => {
additionalProperties => 0,
@@ -104,6 +107,9 @@
code => sub {
my ($param) = @_;
+ my $rpcenv = PVE::RPCEnvironment::get();
+ my $user = $rpcenv->get_user();
+
my $nodes = PVE::Cluster::get_nodelist();
my $cfg = PVE::Storage::config();
@@ -115,6 +121,9 @@
my $res = [];
foreach my $storeid (@sids) {
my $scfg = PVE::Storage::storage_config ($cfg, $storeid);
+
+ next if !$rpcenv->check($user, "/storage/$storeid", [ 'Datastore.Audit' ]);
+
if ($scfg->{shared}) {
push @$res,{
name => $storeid,
@@ -145,6 +154,7 @@
path => 'vms',
method => 'GET',
description => "Virtual machine index (cluster wide).",
+ permissions => { user => 'all' },
parameters => {
additionalProperties => 0,
properties => {},
@@ -161,6 +171,9 @@
code => sub {
my ($param) = @_;
+ my $rpcenv = PVE::RPCEnvironment::get();
+ my $user = $rpcenv->get_user();
+
my $vmlist = PVE::Cluster::get_vmlist();
my $result = [];
@@ -172,6 +185,8 @@
foreach my $vmid (keys %$idlist) {
my $data = $idlist->{$vmid};
+ next if !$rpcenv->check($user, "/vms/$vmid", [ 'VM.Audit' ]);
+
push @$result, {
id => $vmid,
name => "VM $vmid",
Modified: pve-manager/pve2/lib/PVE/API2.pm
===================================================================
--- pve-manager/pve2/lib/PVE/API2.pm 2011-02-16 09:59:11 UTC (rev 5551)
+++ pve-manager/pve2/lib/PVE/API2.pm 2011-02-16 10:07:22 UTC (rev 5552)
@@ -38,6 +38,7 @@
name => 'index',
path => '',
method => 'GET',
+ permissions => { user => 'all' },
description => "Directory index.",
parameters => {
additionalProperties => 0,
Modified: pve-manager/pve2/lib/PVE/REST.pm
===================================================================
--- pve-manager/pve2/lib/PVE/REST.pm 2011-02-16 09:59:11 UTC (rev 5551)
+++ pve-manager/pve2/lib/PVE/REST.pm 2011-02-16 10:07:22 UTC (rev 5552)
@@ -325,11 +325,12 @@
if (defined($params->{path}) || defined($params->{permissions})) {
my @privs = PVE::Tools::split_list($params->{permissions});
my $path = PVE::AccessControl::normalize_path($params->{path});
-
if (!($path && scalar(@privs) && $rpcenv->check($user, $path, \@privs))) {
+ my $msg = "permission check failed ($params->{path}, $params->{permissions})";
+ syslog('info', $msg);
return {
status => HTTP_FORBIDDEN,
- message => "permission check failed ($params->{path}, $params->{permissions})",
+ message => $msg,
};
}
}
More information about the pve-devel
mailing list