[pve-devel] [PATCH manager 7/9] api: replication: fix usages of RPCEnvironment check method

Fiona Ebner f.ebner at proxmox.com
Fri Jul 18 11:30:13 CEST 2025 

The RPCEnvironment's check() method is used without $noerr, so it will
already fail and raise a permission exception when the privilege is
missing.

The usage in the job_status endpoint can be simplified, as the
raise_perm_exc() there is dead code.

The other two usages actually want to set the $noerr argument. In
particular, this makes it possible to use the 'status' endpoint, when
the user does not have VM.Audit for all guests with a replication job
and to read the log with only Sys.Audit privilege on the node. Both
would previously fail, because the check for VM.Audit would raise an
exception already.

Signed-off-by: Fiona Ebner <f.ebner at proxmox.com>
---
 PVE/API2/Replication.pm | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/PVE/API2/Replication.pm b/PVE/API2/Replication.pm
index 7d048f53..c8416239 100644
--- a/PVE/API2/Replication.pm
+++ b/PVE/API2/Replication.pm
@@ -236,7 +236,7 @@ __PACKAGE__->register_method({
             my $data = $extract_job_status->($jobs->{$id}, $id);
             my $guest = $data->{guest};
             next if defined($param->{guest}) && $guest != $param->{guest};
-            next if !$rpcenv->check($authuser, "/vms/$guest", ['VM.Audit']);
+            next if !$rpcenv->check($authuser, "/vms/$guest", ['VM.Audit'], 1);
             push @$res, $data;
         }
 
@@ -311,7 +311,7 @@ __PACKAGE__->register_method({
         my $data = $extract_job_status->($jobcfg, $jobid);
         my $guest = $data->{guest};
 
-        raise_perm_exc() if !$rpcenv->check($authuser, "/vms/$guest", ['VM.Audit']);
+        $rpcenv->check($authuser, "/vms/$guest", ['VM.Audit']);
 
         return $data;
     },
@@ -381,8 +381,8 @@ __PACKAGE__->register_method({
         my $vmid = $data->{guest};
         raise_perm_exc()
             if (!(
-                $rpcenv->check($authuser, "/vms/$vmid", ['VM.Audit'])
-                || $rpcenv->check($authuser, "/nodes/$node", ['Sys.Audit'])
+                $rpcenv->check($authuser, "/vms/$vmid", ['VM.Audit'], 1)
+                || $rpcenv->check($authuser, "/nodes/$node", ['Sys.Audit'], 1)
             ));
 
         my ($count, $lines) =
-- 
2.47.2

More information about the pve-devel mailing list