[pve-devel] [PATCH manager 7/9] api: replication: fix usages of RPCEnvironment check method
Fiona Ebner
f.ebner at proxmox.com
Fri Jul 18 11:30:13 CEST 2025
The RPCEnvironment's check() method is used without $noerr, so it will
already fail and raise a permission exception when the privilege is
missing.
The usage in the job_status endpoint can be simplified, as the
raise_perm_exc() there is dead code.
The other two usages actually want to set the $noerr argument. In
particular, this makes it possible to use the 'status' endpoint, when
the user does not have VM.Audit for all guests with a replication job
and to read the log with only Sys.Audit privilege on the node. Both
would previously fail, because the check for VM.Audit would raise an
exception already.
Signed-off-by: Fiona Ebner <f.ebner at proxmox.com>
---
PVE/API2/Replication.pm | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/PVE/API2/Replication.pm b/PVE/API2/Replication.pm
index 7d048f53..c8416239 100644
--- a/PVE/API2/Replication.pm
+++ b/PVE/API2/Replication.pm
@@ -236,7 +236,7 @@ __PACKAGE__->register_method({
my $data = $extract_job_status->($jobs->{$id}, $id);
my $guest = $data->{guest};
next if defined($param->{guest}) && $guest != $param->{guest};
- next if !$rpcenv->check($authuser, "/vms/$guest", ['VM.Audit']);
+ next if !$rpcenv->check($authuser, "/vms/$guest", ['VM.Audit'], 1);
push @$res, $data;
}
@@ -311,7 +311,7 @@ __PACKAGE__->register_method({
my $data = $extract_job_status->($jobcfg, $jobid);
my $guest = $data->{guest};
- raise_perm_exc() if !$rpcenv->check($authuser, "/vms/$guest", ['VM.Audit']);
+ $rpcenv->check($authuser, "/vms/$guest", ['VM.Audit']);
return $data;
},
@@ -381,8 +381,8 @@ __PACKAGE__->register_method({
my $vmid = $data->{guest};
raise_perm_exc()
if (!(
- $rpcenv->check($authuser, "/vms/$vmid", ['VM.Audit'])
- || $rpcenv->check($authuser, "/nodes/$node", ['Sys.Audit'])
+ $rpcenv->check($authuser, "/vms/$vmid", ['VM.Audit'], 1)
+ || $rpcenv->check($authuser, "/nodes/$node", ['Sys.Audit'], 1)
));
my ($count, $lines) =
--
2.47.2
More information about the pve-devel
mailing list