[pve-devel] [PATCH access-control 1/2] api: permissions: allow users to view their own permissions

Tue Nov 5 09:30:38 CET 2024

even when specifying an explicit userid matching their own.

Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
 src/PVE/API2/AccessControl.pm | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/PVE/API2/AccessControl.pm b/src/PVE/API2/AccessControl.pm
index c55a7b3..157a5ee 100644
--- a/src/PVE/API2/AccessControl.pm
+++ b/src/PVE/API2/AccessControl.pm
@@ -486,14 +486,14 @@ __PACKAGE__->register_method({
 	my ($param) = @_;
 
 	my $rpcenv = PVE::RPCEnvironment::get();
+	my $authid = $rpcenv->get_user();
 
 	my $userid = $param->{userid};
-	if (defined($userid)) {
+	$userid = $authid if !defined($userid);
+
+	if ($userid ne $authid) {
 	    $rpcenv->check($rpcenv->get_user(), '/access', ['Sys.Audit']);
-	} else {
-	    $userid = $rpcenv->get_user();
 	}
-
 	my $res;
 
 	if (my $path = $param->{path}) {
-- 
2.39.5



