[pve-devel] [PATCH manager] api: nodes/subscription: implement reasonable access rights

Thomas Lamprecht t.lamprecht at proxmox.com
Thu Nov 30 08:20:34 CET 2017


Allow users which have Sys.Audit on a specific node to get the
subscription status and those with Sys.Modify to set and check
(update) it.

This mirrors the required permissions from other node specific
actions, e.g., APT (package management).

We always showed the Subscription Panel and all its elements in the
WebUI, so no need for change there.

Signed-off-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
---
 PVE/API2/Subscription.pm | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/PVE/API2/Subscription.pm b/PVE/API2/Subscription.pm
index bedc6a5b..9d24dce8 100644
--- a/PVE/API2/Subscription.pm
+++ b/PVE/API2/Subscription.pm
@@ -91,6 +91,9 @@ __PACKAGE__->register_method ({
     name => 'get',
     path => '',
     method => 'GET',
+    permissions => {
+	check => ['perm', '/nodes/{node}', [ 'Sys.Audit' ]],
+    },
     description => "Read subscription info.",
     proxyto => 'node',
     permissions => { user => 'all' },
@@ -128,6 +131,9 @@ __PACKAGE__->register_method ({
     name => 'update',
     path => '',
     method => 'POST',
+    permissions => {
+	check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
+    },
     description => "Update subscription info.",
     proxyto => 'node',
     protected => 1,
@@ -179,6 +185,9 @@ __PACKAGE__->register_method ({
     name => 'set',
     path => '',
     method => 'PUT',
+    permissions => {
+	check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
+    },
     description => "Set subscription key.",
     proxyto => 'node',
     protected => 1,
-- 
2.11.0





More information about the pve-devel mailing list