[pve-devel] [PATCH manager v11 02/13] api: allow all users to (partially) read datacenter.cfg

Dominik Csapak d.csapak at proxmox.com
Wed Nov 16 16:48:04 CET 2022 

it contains most ui relevant options, like the console preference and tag-style
so allow these for users without 'Sys.Audit' on '/'
(unchanged for all others)

we also add the list of allowed tags. while not strictly a datacenter
config, it's derived from the current users privileges and the
datacenter config.

Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
 PVE/API2.pm         |  3 ++-
 PVE/API2/Cluster.pm | 24 ++++++++++++++++++++++--
 2 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/PVE/API2.pm b/PVE/API2.pm
index a42561604..6703b941a 100644
--- a/PVE/API2.pm
+++ b/PVE/API2.pm
@@ -5,6 +5,7 @@ use warnings;
 
 use PVE::pvecfg;
 use PVE::DataCenterConfig;
+use PVE::GuestHelpers;
 use PVE::RESTHandler;
 use PVE::JSONSchema;
 
@@ -118,6 +119,7 @@ __PACKAGE__->register_method ({
 
 	my $res = {};
 
+	# TODO remove with next major release
 	my $datacenter_confg = eval { PVE::Cluster::cfs_read_file('datacenter.cfg') } // {};
 	for my $k (qw(console)) {
 	    $res->{$k} = $datacenter_confg->{$k} if exists $datacenter_confg->{$k};
@@ -129,5 +131,4 @@ __PACKAGE__->register_method ({
 
 	return $res;
     }});
-
 1;
diff --git a/PVE/API2/Cluster.pm b/PVE/API2/Cluster.pm
index 3ca85caa4..a06dc83a2 100644
--- a/PVE/API2/Cluster.pm
+++ b/PVE/API2/Cluster.pm
@@ -10,6 +10,7 @@ use PVE::Cluster qw(cfs_register_file cfs_lock_file cfs_read_file cfs_write_file
 use PVE::DataCenterConfig;
 use PVE::Exception qw(raise_param_exc);
 use PVE::Firewall;
+use PVE::GuestHelpers;
 use PVE::HA::Config;
 use PVE::HA::Env::PVE2;
 use PVE::INotify;
@@ -542,8 +543,9 @@ __PACKAGE__->register_method({
     name => 'get_options',
     path => 'options',
     method => 'GET',
-    description => "Get datacenter options.",
+    description => "Get datacenter options. Without 'Sys.Audit' on '/' not all options are returned.",
     permissions => {
+	user => 'all',
 	check => ['perm', '/', [ 'Sys.Audit' ]],
     },
     parameters => {
@@ -557,7 +559,25 @@ __PACKAGE__->register_method({
     code => sub {
 	my ($param) = @_;
 
-	return PVE::Cluster::cfs_read_file('datacenter.cfg');
+	my $res = {};
+
+	my $rpcenv = PVE::RPCEnvironment::get();
+	my $authuser = $rpcenv->get_user();
+
+	my $datacenter_config = eval { PVE::Cluster::cfs_read_file('datacenter.cfg') } // {};
+
+	if ($rpcenv->check($authuser, '/', ['Sys.Audit'], 1)) {
+	    $res = $datacenter_config;
+	} else {
+	    for my $k (qw(console tag-style)) {
+		$res->{$k} = $datacenter_config->{$k} if exists $datacenter_config->{$k};
+	    }
+	}
+
+	my $tags = PVE::GuestHelpers::get_allowed_tags($rpcenv, $authuser);
+	$res->{'allowed-tags'} = [sort keys $tags->%*];
+
+	return $res;
     }});
 
 __PACKAGE__->register_method({
-- 
2.30.2

More information about the pve-devel mailing list