[pve-devel] [PATCH access-control 2/2] PVE/RPCEnvironment: add helper for checking hw permissions
Fabian Grünbichler
f.gruenbichler at proxmox.com
Mon Aug 1 14:01:17 CEST 2022
On July 19, 2022 1:46 pm, Dominik Csapak wrote:
> like check_vm_perm, etc.
>
> Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
> ---
> src/PVE/RPCEnvironment.pm | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/src/PVE/RPCEnvironment.pm b/src/PVE/RPCEnvironment.pm
> index 7c37c6e..c1b712d 100644
> --- a/src/PVE/RPCEnvironment.pm
> +++ b/src/PVE/RPCEnvironment.pm
> @@ -356,6 +356,14 @@ sub check_vm_perm {
> return $self->check_full($user, "/vms/$vmid", $privs, $any, $noerr);
> };
>
> +sub check_hw_perm {
> + my ($self, $user, $id, $privs, $any, $noerr) = @_;
> +
> + my $cfg = $self->{user_cfg};
> +
> + return $self->check_full($user, "/hardware/$id", $privs, $any, $noerr);
> +}
is this really needed (here?)?
I mean, yes,
$rpcenv->check_hw_perm('foo at bar', "hardware_id", ['Hardware.Use'], 0, 0)
is a (tiny) bit shorter than
$rpcenv->check_full('foo at bar', "/hardware/hardware_id", ['Hardware.Use'], 0, 0)
but ;)
note that check_vm has a special job and is not just a wrapper for
checking $ID against /$PREFIX/$ID, it is specifically for checking guest
ACLs while honoring pool ACLs for the special case of "VM is currently
being created and not formally part of the pool yet"..
similary, check_perm_modify serves the purpose of containing all the
"modify $path" -> "actual privilege" mappings in a single place.
the rest of the check_foo subs are low-level building blocks/helpers.
> +
> sub is_group_member {
> my ($self, $group, $user) = @_;
>
> --
> 2.30.2
>
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>
>
More information about the pve-devel
mailing list