[pve-devel] [PATCH access-control] fix realm sync permissions

Wolfgang Bumiller w.bumiller at proxmox.com
Mon Dec 20 11:31:15 CET 2021


The userid-* permission check variants work on
$param->{userid} directly which does not exist for this
call. Also, they work on the realm of the user being
checked, rather than the realm provided as parameter.

The result was that as non-root user this always failed
with the message "userid '' too short"

Fix this by making the check explicitly work like in the
description.

Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
---
 src/PVE/API2/Domains.pm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/PVE/API2/Domains.pm b/src/PVE/API2/Domains.pm
index 9c2b254..56e8394 100644
--- a/src/PVE/API2/Domains.pm
+++ b/src/PVE/API2/Domains.pm
@@ -397,8 +397,8 @@ __PACKAGE__->register_method ({
 	description => "'Realm.AllocateUser' on '/access/realm/<realm>' and "
 	    ." 'User.Modify' permissions to '/access/groups/'.",
 	check => [ 'and',
-	    [ 'userid-param', 'Realm.AllocateUser' ],
-	    [ 'userid-group', ['User.Modify'] ],
+	    ['perm', '/access/realm/{realm}', ['Realm.AllocateUser']],
+	    ['perm', '/access/groups', ['User.Modify']],
 	],
     },
     description => "Syncs users and/or groups from the configured LDAP to user.cfg."
-- 
2.30.2





More information about the pve-devel mailing list