[pve-devel] [PATCH manager 2/2] api: node: bulk actions: allow when user has permission for each guest
Fiona Ebner
f.ebner at proxmox.com
Wed Mar 1 15:22:20 CET 2023
Users with permissions for some guests can already start a task for
each sequentially.
Signed-off-by: Fiona Ebner <f.ebner at proxmox.com>
---
PVE/API2/Nodes.pm | 39 ++++++++++++++++++++++++++++++++++++---
1 file changed, 36 insertions(+), 3 deletions(-)
diff --git a/PVE/API2/Nodes.pm b/PVE/API2/Nodes.pm
index 47c2d741..c9bf2831 100644
--- a/PVE/API2/Nodes.pm
+++ b/PVE/API2/Nodes.pm
@@ -1756,7 +1756,9 @@ __PACKAGE__->register_method ({
method => 'POST',
protected => 1,
permissions => {
- check => ['perm', '/', [ 'VM.PowerMgmt' ]],
+ description => "The 'VM.PowerMgmt' permission is required on '/' or on '/vms/<ID>' for "
+ ."each ID passed via the 'vms' parameter.",
+ user => 'all',
},
proxyto => 'node',
description => "Start all VMs and containers located on this node (by default only those with onboot=1).",
@@ -1786,6 +1788,15 @@ __PACKAGE__->register_method ({
my $rpcenv = PVE::RPCEnvironment::get();
my $authuser = $rpcenv->get_user();
+ if (!$rpcenv->check($authuser, "/", [ 'VM.PowerMgmt' ], 1)) {
+ my @vms = PVE::Tools::split_list($param->{vms});
+ if (scalar(@vms) > 0) {
+ $rpcenv->check($authuser, "/vms/$_", [ 'VM.PowerMgmt' ]) for @vms;
+ } else {
+ raise_perm_exc("/, VM.PowerMgmt");
+ }
+ }
+
my $nodename = $param->{node};
$nodename = PVE::INotify::nodename() if $nodename eq 'localhost';
@@ -1891,7 +1902,9 @@ __PACKAGE__->register_method ({
method => 'POST',
protected => 1,
permissions => {
- check => ['perm', '/', [ 'VM.PowerMgmt' ]],
+ description => "The 'VM.PowerMgmt' permission is required on '/' or on '/vms/<ID>' for "
+ ."each ID passed via the 'vms' parameter.",
+ user => 'all',
},
proxyto => 'node',
description => "Stop all VMs and Containers.",
@@ -1930,6 +1943,15 @@ __PACKAGE__->register_method ({
my $rpcenv = PVE::RPCEnvironment::get();
my $authuser = $rpcenv->get_user();
+ if (!$rpcenv->check($authuser, "/", [ 'VM.PowerMgmt' ], 1)) {
+ my @vms = PVE::Tools::split_list($param->{vms});
+ if (scalar(@vms) > 0) {
+ $rpcenv->check($authuser, "/vms/$_", [ 'VM.PowerMgmt' ]) for @vms;
+ } else {
+ raise_perm_exc("/, VM.PowerMgmt");
+ }
+ }
+
my $nodename = $param->{node};
$nodename = PVE::INotify::nodename() if $nodename eq 'localhost';
@@ -2056,7 +2078,9 @@ __PACKAGE__->register_method ({
proxyto => 'node',
protected => 1,
permissions => {
- check => ['perm', '/', [ 'VM.Migrate' ]],
+ description => "The 'VM.Migrate' permission is required on '/' or on '/vms/<ID>' for each "
+ ."ID passed via the 'vms' parameter.",
+ user => 'all',
},
description => "Migrate all VMs and Containers.",
parameters => {
@@ -2092,6 +2116,15 @@ __PACKAGE__->register_method ({
my $rpcenv = PVE::RPCEnvironment::get();
my $authuser = $rpcenv->get_user();
+ if (!$rpcenv->check($authuser, "/", [ 'VM.Migrate' ], 1)) {
+ my @vms = PVE::Tools::split_list($param->{vms});
+ if (scalar(@vms) > 0) {
+ $rpcenv->check($authuser, "/vms/$_", [ 'VM.Migrate' ]) for @vms;
+ } else {
+ raise_perm_exc("/, VM.Migrate");
+ }
+ }
+
my $nodename = $param->{node};
$nodename = PVE::INotify::nodename() if $nodename eq 'localhost';
--
2.30.2
More information about the pve-devel
mailing list