[pve-devel] [PATCH access-control 2/2] PVE/RPCEnvironment: add helper for checking hw permissions

Fabian Grünbichler f.gruenbichler at proxmox.com
Mon Aug 1 14:01:17 CEST 2022


On July 19, 2022 1:46 pm, Dominik Csapak wrote:
> like check_vm_perm, etc.
> 
> Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
> ---
>  src/PVE/RPCEnvironment.pm | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/src/PVE/RPCEnvironment.pm b/src/PVE/RPCEnvironment.pm
> index 7c37c6e..c1b712d 100644
> --- a/src/PVE/RPCEnvironment.pm
> +++ b/src/PVE/RPCEnvironment.pm
> @@ -356,6 +356,14 @@ sub check_vm_perm {
>      return $self->check_full($user, "/vms/$vmid", $privs, $any, $noerr);
>  };
>  
> +sub check_hw_perm {
> +    my ($self, $user, $id, $privs, $any, $noerr) = @_;
> +
> +    my $cfg = $self->{user_cfg};
> +
> +    return $self->check_full($user, "/hardware/$id", $privs, $any, $noerr);
> +}

is this really needed (here?)?

I mean, yes,

$rpcenv->check_hw_perm('foo at bar', "hardware_id", ['Hardware.Use'], 0, 0)

is a (tiny) bit shorter than

$rpcenv->check_full('foo at bar', "/hardware/hardware_id", ['Hardware.Use'], 0, 0)

but ;)

note that check_vm has a special job and is not just a wrapper for 
checking $ID against /$PREFIX/$ID, it is specifically for checking guest 
ACLs while honoring pool ACLs for the special case of "VM is currently 
being created and not formally part of the pool yet"..

similary, check_perm_modify serves the purpose of containing all the 
"modify $path" -> "actual privilege" mappings in a single place.

the rest of the check_foo subs are low-level building blocks/helpers.

> +
>  sub is_group_member {
>      my ($self, $group, $user) = @_;
>  
> -- 
> 2.30.2
> 
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
> 




More information about the pve-devel mailing list