api: config: Require PRIV_DATASTORE_AUDIT to modify sync job

Read access to sync jobs is not granted to users not having at least PRIV_DATASTORE_AUDIT permissions on the datastore. However a user is able to create or modify such jobs, without having the audit permission. Therefore, further restrict the modify check by also including the audit permissions. Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
2025-01-05 09:17:59 +03:00 · 2024-11-11 16:43:41 +01:00 · 2024-11-11 16:43:41 +01:00 · 5876a963b8
commit 5876a963b8
parent 46951c103b
1 changed files with 2 additions and 2 deletions
--- a/src/api2/config/sync.rs
+++ b/src/api2/config/sync.rs
@ -44,7 +44,7 @@ pub fn check_sync_job_modify_access(
    job: &SyncJobConfig,
 ) -> bool {
    let ns_anchor_privs = user_info.lookup_privs(auth_id, &job.acl_path());
-    if ns_anchor_privs & PRIV_DATASTORE_BACKUP == 0 {
+    if ns_anchor_privs & PRIV_DATASTORE_BACKUP == 0 || ns_anchor_privs & PRIV_DATASTORE_AUDIT == 0 {
        return false;
    }

@ -502,7 +502,7 @@ user: write@pbs
        r###"
 acl:1:/datastore/localstore1:read@pbs,write@pbs:DatastoreAudit
 acl:1:/datastore/localstore1:write@pbs:DatastoreBackup
-acl:1:/datastore/localstore2:write@pbs:DatastorePowerUser
+acl:1:/datastore/localstore2:write@pbs:DatastoreAudit,DatastorePowerUser
 acl:1:/datastore/localstore3:write@pbs:DatastoreAdmin
 acl:1:/remote/remote1:read@pbs,write@pbs:RemoteAudit
 acl:1:/remote/remote1/remotestore1:write@pbs:RemoteSyncOperator