[pve-devel] [PATCH pve-manager] api: notification targets: fix permission check for POST/PUT
Lukas Wagner
l.wagner at proxmox.com
Fri Nov 29 09:59:08 CET 2024
This fixes the error:
unknown permission test at /usr/share/perl5/PVE/RPCEnvironment.pm line 536. (500)
which occured when trying to create or update a notification target.
The cause was a permission 'check' parameter for the API handlers which was nested
one level too deep by accident.
This regression was introduced in a previous commit which raised the
needed permissions for notification target management. It likely went
unnoticed because the permission check is skipped for root at pam, so
the error occurs only if using another user.
Reported in the community forum:
https://forum.proxmox.com/threads/158101
Fixes: a3fe9c54 ("api: notifications: require powerful privileges for target management")
Signed-off-by: Lukas Wagner <l.wagner at proxmox.com>
---
PVE/API2/Cluster/Notifications.pm | 96 +++++++++++++------------------
1 file changed, 40 insertions(+), 56 deletions(-)
diff --git a/PVE/API2/Cluster/Notifications.pm b/PVE/API2/Cluster/Notifications.pm
index 50ee5662..a61ab839 100644
--- a/PVE/API2/Cluster/Notifications.pm
+++ b/PVE/API2/Cluster/Notifications.pm
@@ -500,13 +500,11 @@ __PACKAGE__->register_method ({
method => 'POST',
description => 'Create a new sendmail endpoint',
permissions => {
- check => [
- ['and',
- ['perm', '/mapping/notifications', ['Mapping.Modify']],
- ['or',
- ['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
- ['perm', '/', [ 'Sys.AccessNetwork' ]],
- ],
+ check => ['and',
+ ['perm', '/mapping/notifications', ['Mapping.Modify']],
+ ['or',
+ ['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
+ ['perm', '/', [ 'Sys.AccessNetwork' ]],
],
],
},
@@ -556,13 +554,11 @@ __PACKAGE__->register_method ({
method => 'PUT',
description => 'Update existing sendmail endpoint',
permissions => {
- check => [
- ['and',
- ['perm', '/mapping/notifications', ['Mapping.Modify']],
- ['or',
- ['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
- ['perm', '/', [ 'Sys.AccessNetwork' ]],
- ],
+ check => ['and',
+ ['perm', '/mapping/notifications', ['Mapping.Modify']],
+ ['or',
+ ['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
+ ['perm', '/', [ 'Sys.AccessNetwork' ]],
],
],
},
@@ -780,13 +776,11 @@ __PACKAGE__->register_method ({
method => 'POST',
description => 'Create a new gotify endpoint',
permissions => {
- check => [
- ['and',
- ['perm', '/mapping/notifications', ['Mapping.Modify']],
- ['or',
- ['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
- ['perm', '/', [ 'Sys.AccessNetwork' ]],
- ],
+ check => ['and',
+ ['perm', '/mapping/notifications', ['Mapping.Modify']],
+ ['or',
+ ['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
+ ['perm', '/', [ 'Sys.AccessNetwork' ]],
],
],
},
@@ -832,13 +826,11 @@ __PACKAGE__->register_method ({
method => 'PUT',
description => 'Update existing gotify endpoint',
permissions => {
- check => [
- ['and',
- ['perm', '/mapping/notifications', ['Mapping.Modify']],
- ['or',
- ['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
- ['perm', '/', [ 'Sys.AccessNetwork' ]],
- ],
+ check => ['and',
+ ['perm', '/mapping/notifications', ['Mapping.Modify']],
+ ['or',
+ ['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
+ ['perm', '/', [ 'Sys.AccessNetwork' ]],
],
],
},
@@ -1099,13 +1091,11 @@ __PACKAGE__->register_method ({
method => 'POST',
description => 'Create a new smtp endpoint',
permissions => {
- check => [
- ['and',
- ['perm', '/mapping/notifications', ['Mapping.Modify']],
- ['or',
- ['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
- ['perm', '/', [ 'Sys.AccessNetwork' ]],
- ],
+ check => ['and',
+ ['perm', '/mapping/notifications', ['Mapping.Modify']],
+ ['or',
+ ['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
+ ['perm', '/', [ 'Sys.AccessNetwork' ]],
],
],
},
@@ -1165,13 +1155,11 @@ __PACKAGE__->register_method ({
method => 'PUT',
description => 'Update existing smtp endpoint',
permissions => {
- check => [
- ['and',
- ['perm', '/mapping/notifications', ['Mapping.Modify']],
- ['or',
- ['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
- ['perm', '/', [ 'Sys.AccessNetwork' ]],
- ],
+ check => ['and',
+ ['perm', '/mapping/notifications', ['Mapping.Modify']],
+ ['or',
+ ['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
+ ['perm', '/', [ 'Sys.AccessNetwork' ]],
],
],
},
@@ -1423,13 +1411,11 @@ __PACKAGE__->register_method ({
method => 'POST',
description => 'Create a new webhook endpoint',
permissions => {
- check => [
- ['and',
- ['perm', '/mapping/notifications', ['Mapping.Modify']],
- ['or',
- ['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
- ['perm', '/', [ 'Sys.AccessNetwork' ]],
- ],
+ check => ['and',
+ ['perm', '/mapping/notifications', ['Mapping.Modify']],
+ ['or',
+ ['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
+ ['perm', '/', [ 'Sys.AccessNetwork' ]],
],
],
},
@@ -1464,13 +1450,11 @@ __PACKAGE__->register_method ({
method => 'PUT',
description => 'Update existing webhook endpoint',
permissions => {
- check => [
- ['and',
- ['perm', '/mapping/notifications', ['Mapping.Modify']],
- ['or',
- ['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
- ['perm', '/', [ 'Sys.AccessNetwork' ]],
- ],
+ check => ['and',
+ ['perm', '/mapping/notifications', ['Mapping.Modify']],
+ ['or',
+ ['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
+ ['perm', '/', [ 'Sys.AccessNetwork' ]],
],
],
},
--
2.39.5
More information about the pve-devel
mailing list