[pve-devel] [PATCH container v10 1/1] check_ct_modify_config_perm: check for tags permissions with 'assert_tag_permissions'

[Dominik Csapak]

from GuestHelpers. This function checks all necessary permissions and
raises an exception if the user does not have the correct ones.

This is necessary for the new 'privileged' tags and 'user-tag-access'
permissions to work.

Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
changes from v9:
* use GuestHelpers::assert_tag_permissions
 src/PVE/LXC.pm | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index 4bbd739..3cedc9a 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -1336,6 +1336,10 @@ sub check_ct_modify_config_perm {
 	} elsif ($opt eq 'hookscript') {
 	    # For now this is restricted to root at pam
 	    raise_perm_exc("changing the hookscript is only allowed for root\@pam");
+	} elsif ($opt eq 'tags') {
+	    my $old = $oldconf->{$opt};
+	    my $new = $delete ? '' : $newconf->{$opt};
+	    PVE::GuestHelpers::assert_tag_permissions($vmid, $old, $new, $rpcenv, $authuser);
 	} else {
 	    $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Options']);
 	}
-- 
2.30.2