[pve-devel] applied: [PATCH manager] fix #2197: ui: editing CDROM doesn't require VM.Config.Disk rights

Thomas Lamprecht t.lamprecht at proxmox.com
Mon May 13 19:32:05 CEST 2019


A user which just has the default role PVEVMUser on a VM is able to
edit the CDROM, either to no media or if storage permissions are
available also to other ISOs, through the API. So reflect this again
for the WebUI. We could add a check for "VM.Config.CDROM", but that's
not really worth, if we keep in mind that the Ext.Caps state is
heuristically only.

fixes commit 0acdd9fe8568fff4072dd68139c8c48771e1d164

Signed-off-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
---
 www/manager6/qemu/HardwareView.js | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/www/manager6/qemu/HardwareView.js b/www/manager6/qemu/HardwareView.js
index f60ac7e3..33e50414 100644
--- a/www/manager6/qemu/HardwareView.js
+++ b/www/manager6/qemu/HardwareView.js
@@ -326,14 +326,13 @@ Ext.define('PVE.qemu.HardwareView', {
 
 	    var editor = rowdef.editor;
 	    if (rowdef.tdCls == 'pve-itype-icon-storage') {
-		if (!diskCap) {
-		    return;
-		}
 		var value = me.getObjectValue(rec.data.key, '', true); 
 		if (value.match(/vm-.*-cloudinit/)) {
 		    return;
 		} else if (value.match(/media=cdrom/)) {
 		    editor = 'PVE.qemu.CDEdit';
+		} else if (!diskCap) {
+		    return;
 		}
 	    }
 
@@ -576,10 +575,11 @@ Ext.define('PVE.qemu.HardwareView', {
 	    var rowdef = rows[key];
 
 	    var pending = rec.data['delete'] || me.hasPendingChanges(key);
+	    var isCDRom = (value && !!value.match(/media=cdrom/));
 	    var isUnusedDisk = key.match(/^unused\d+/);
 	    var isUsedDisk = !isUnusedDisk &&
 		rowdef.tdCls == 'pve-itype-icon-storage' &&
-		(value && !value.match(/media=cdrom/));
+		!isCDRom;
 
 	    var isCloudInit = (value && value.toString().match(/vm-.*-cloudinit/));
 
@@ -589,7 +589,7 @@ Ext.define('PVE.qemu.HardwareView', {
 	    remove_btn.setText((isUsedDisk && !isCloudInit) ? remove_btn.altText : remove_btn.defaultText);
 	    remove_btn.RESTMethod = isUnusedDisk ? 'POST':'PUT';
 
-	    edit_btn.setDisabled(rec.data['delete'] || !rowdef.editor || isCloudInit || !diskCap);
+	    edit_btn.setDisabled(rec.data['delete'] || !rowdef.editor || isCloudInit || (!isCDRom && !diskCap));
 
 	    resize_btn.setDisabled(pending || !isUsedDisk || !diskCap);
 
-- 
2.20.1





More information about the pve-devel mailing list