[pve-devel] r5552 - in pve-manager/pve2/lib/PVE: . API2

svn-commits at proxmox.com svn-commits at proxmox.com
Wed Feb 16 11:07:22 CET 2011


Author: dietmar
Date: 2011-02-16 11:07:22 +0100 (Wed, 16 Feb 2011)
New Revision: 5552

Modified:
   pve-manager/pve2/lib/PVE/API2.pm
   pve-manager/pve2/lib/PVE/API2/Cluster.pm
   pve-manager/pve2/lib/PVE/REST.pm
Log:
check access permissions


Modified: pve-manager/pve2/lib/PVE/API2/Cluster.pm
===================================================================
--- pve-manager/pve2/lib/PVE/API2/Cluster.pm	2011-02-16 09:59:11 UTC (rev 5551)
+++ pve-manager/pve2/lib/PVE/API2/Cluster.pm	2011-02-16 10:07:22 UTC (rev 5552)
@@ -22,6 +22,7 @@
     path => '', 
     method => 'GET',
     description => "Cluster index.",
+    permissions => { user => 'all' },
     parameters => {
     	additionalProperties => 0,
 	properties => {},
@@ -51,6 +52,7 @@
     path => 'log', 
     method => 'GET',
     description => "Read cluster log",
+    permissions => { user => 'all' },
     parameters => {
     	additionalProperties => 0,
 	properties => {
@@ -89,6 +91,7 @@
     name => 'storage', 
     path => 'storage', 
     method => 'GET',
+    permissions => { user => 'all' },
     description => "Cluster wide storage status.",
     parameters => {
     	additionalProperties => 0,
@@ -104,6 +107,9 @@
     code => sub {
 	my ($param) = @_;
 
+	my $rpcenv = PVE::RPCEnvironment::get();
+	my $user = $rpcenv->get_user();
+
 	my $nodes = PVE::Cluster::get_nodelist();
 
 	my $cfg = PVE::Storage::config();
@@ -115,6 +121,9 @@
 	my $res = [];
 	foreach my $storeid (@sids) {
 	    my $scfg =  PVE::Storage::storage_config ($cfg, $storeid);
+
+	    next if !$rpcenv->check($user, "/storage/$storeid", [ 'Datastore.Audit' ]);
+
 	    if ($scfg->{shared}) {
 		push @$res,{ 
 		    name => $storeid, 
@@ -145,6 +154,7 @@
     path => 'vms', 
     method => 'GET',
     description => "Virtual machine index (cluster wide).",
+    permissions => { user => 'all' },
     parameters => {
     	additionalProperties => 0,
 	properties => {},
@@ -161,6 +171,9 @@
     code => sub {
 	my ($param) = @_;
 
+	my $rpcenv = PVE::RPCEnvironment::get();
+	my $user = $rpcenv->get_user();
+
 	my $vmlist = PVE::Cluster::get_vmlist();
 	my $result = [];
 
@@ -172,6 +185,8 @@
 	foreach my $vmid (keys %$idlist) {
 	    my $data = $idlist->{$vmid};
 
+	    next if !$rpcenv->check($user, "/vms/$vmid", [ 'VM.Audit' ]);
+
 	    push @$result, { 
 		id => $vmid, 
 		name => "VM $vmid", 

Modified: pve-manager/pve2/lib/PVE/API2.pm
===================================================================
--- pve-manager/pve2/lib/PVE/API2.pm	2011-02-16 09:59:11 UTC (rev 5551)
+++ pve-manager/pve2/lib/PVE/API2.pm	2011-02-16 10:07:22 UTC (rev 5552)
@@ -38,6 +38,7 @@
     name => 'index', 
     path => '',
     method => 'GET',
+    permissions => { user => 'all' },
     description => "Directory index.",
     parameters => {
 	additionalProperties => 0,

Modified: pve-manager/pve2/lib/PVE/REST.pm
===================================================================
--- pve-manager/pve2/lib/PVE/REST.pm	2011-02-16 09:59:11 UTC (rev 5551)
+++ pve-manager/pve2/lib/PVE/REST.pm	2011-02-16 10:07:22 UTC (rev 5552)
@@ -325,11 +325,12 @@
 	if (defined($params->{path}) || defined($params->{permissions})) {
 	    my @privs = PVE::Tools::split_list($params->{permissions});
 	    my $path = PVE::AccessControl::normalize_path($params->{path});
-
 	    if (!($path && scalar(@privs) && $rpcenv->check($user, $path, \@privs))) {
+		my $msg = "permission check failed ($params->{path}, $params->{permissions})";
+		syslog('info', $msg);
 		return { 
 		    status => HTTP_FORBIDDEN,
-		    message => "permission check failed ($params->{path}, $params->{permissions})",
+		    message => $msg,
 		};
 	    }
 	}



More information about the pve-devel mailing list