[pve-devel] [PATCH manager 4/6] api: backup: update: check permissions of delete params too

[Fiona Ebner]

Signed-off-by: Fiona Ebner <f.ebner at proxmox.com>
---
 PVE/API2/Backup.pm | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/PVE/API2/Backup.pm b/PVE/API2/Backup.pm
index c0800bac..684a078e 100644
--- a/PVE/API2/Backup.pm
+++ b/PVE/API2/Backup.pm
@@ -54,6 +54,14 @@ sub assert_param_permission_common {
     }
 }
 
+my sub assert_param_permission_update {
+    my ($rpcenv, $user, $update, $delete) = @_;
+    return if $user eq 'root at pam'; # always OK
+
+    assert_param_permission_common($rpcenv, $user, $update);
+    assert_param_permission_common($rpcenv, $user, $delete);
+}
+
 my $convert_to_schedule = sub {
     my ($job) = @_;
 
@@ -424,8 +432,6 @@ __PACKAGE__->register_method({
 	my $rpcenv = PVE::RPCEnvironment::get();
 	my $user = $rpcenv->get_user();
 
-	assert_param_permission_common($rpcenv, $user, $param);
-
 	if (my $pool = $param->{pool}) {
 	    $rpcenv->check_pool_exist($pool);
 	    $rpcenv->check($user, "/pool/$pool", ['VM.Backup']);
@@ -437,6 +443,8 @@ __PACKAGE__->register_method({
 	my $delete = extract_param($param, 'delete');
 	$delete = { map { $_ => 1 } PVE::Tools::split_list($delete) } if $delete;
 
+	assert_param_permission_update($rpcenv, $user, $param, $delete);
+
 	my $update_job = sub {
 	    my $data = cfs_read_file('vzdump.cron');
 	    my $jobs_data = cfs_read_file('jobs.cfg');
-- 
2.30.2