[pve-devel] [PATCH access-control 2/2] tfa list: account for admin permissions

[Wolfgang Bumiller]

instead of restricting listing tfa entries of others to
root at pam, perform the same checks the user-list does and
which also reflect the permissions of the api calls actually
operating on those users, so, `User.Modify` on the user (but
also `Sys.Audit`, since it's only a read-operation, just
like the user index API call)

Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
---
 src/PVE/API2/TFA.pm | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/src/PVE/API2/TFA.pm b/src/PVE/API2/TFA.pm
index 343374e..123aeba 100644
--- a/src/PVE/API2/TFA.pm
+++ b/src/PVE/API2/TFA.pm
@@ -373,10 +373,24 @@ __PACKAGE__->register_method ({
 
 	my $rpcenv = PVE::RPCEnvironment::get();
 	my $authuser = $rpcenv->get_user();
-	my $top_level_allowed = ($authuser eq 'root at pam');
 
 	my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
-	return $tfa_cfg->api_list_tfa($authuser, $top_level_allowed);
+	my $entries = $tfa_cfg->api_list_tfa($authuser, 1);
+
+	my $privs = [ 'User.Modify', 'Sys.Audit' ];
+	if ($rpcenv->check_any($authuser, "/access/groups", $privs, 1)) {
+	    # can modify all
+	    return $entries;
+	}
+
+	my $groups = $rpcenv->filter_groups($authuser, $privs, 1);
+	my $allowed_users = $rpcenv->group_member_join([keys %$groups]);
+	return [
+	    grep {
+		my $userid = $_->{userid};
+		$userid eq $authuser || $allowed_users->{$userid}
+	    } $entries->@*
+	];
     }});
 
 __PACKAGE__->register_method ({
-- 
2.30.2