[pve-devel] [PATCH access-control 2/2] PVE/RPCEnvironment: add helper for checking hw permissions

Dominik Csapak d.csapak at proxmox.com
Tue Aug 9 08:55:28 CEST 2022


On 8/1/22 14:01, Fabian Grünbichler wrote:
> On July 19, 2022 1:46 pm, Dominik Csapak wrote:
>> like check_vm_perm, etc.
>>
>> Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
>> ---
>>   src/PVE/RPCEnvironment.pm | 8 ++++++++
>>   1 file changed, 8 insertions(+)
>>
>> diff --git a/src/PVE/RPCEnvironment.pm b/src/PVE/RPCEnvironment.pm
>> index 7c37c6e..c1b712d 100644
>> --- a/src/PVE/RPCEnvironment.pm
>> +++ b/src/PVE/RPCEnvironment.pm
>> @@ -356,6 +356,14 @@ sub check_vm_perm {
>>       return $self->check_full($user, "/vms/$vmid", $privs, $any, $noerr);
>>   };
>>   
>> +sub check_hw_perm {
>> +    my ($self, $user, $id, $privs, $any, $noerr) = @_;
>> +
>> +    my $cfg = $self->{user_cfg};
>> +
>> +    return $self->check_full($user, "/hardware/$id", $privs, $any, $noerr);
>> +}
> 
> is this really needed (here?)?
> 
> I mean, yes,
> 
> $rpcenv->check_hw_perm('foo at bar', "hardware_id", ['Hardware.Use'], 0, 0)
> 
> is a (tiny) bit shorter than
> 
> $rpcenv->check_full('foo at bar', "/hardware/hardware_id", ['Hardware.Use'], 0, 0)
> 
> but ;)
> 
> note that check_vm has a special job and is not just a wrapper for
> checking $ID against /$PREFIX/$ID, it is specifically for checking guest
> ACLs while honoring pool ACLs for the special case of "VM is currently
> being created and not formally part of the pool yet"..
> 
> similary, check_perm_modify serves the purpose of containing all the
> "modify $path" -> "actual privilege" mappings in a single place.
> 
> the rest of the check_foo subs are low-level building blocks/helpers.
> 

you're right, the helper is not really necessary

>> +
>>   sub is_group_member {
>>       my ($self, $group, $user) = @_;
>>   
>> -- 
>> 2.30.2
>>
>>
>>
>> _______________________________________________
>> pve-devel mailing list
>> pve-devel at lists.proxmox.com
>> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>>
>>
>>
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 






More information about the pve-devel mailing list