check_volume_access: tighten checks for iso/tmpl
(custom) templates might contain sensitive data, so require at least read access on the underlying storage to access ISO and template files. the same permissions are already needed for listing them, so this is unlikely to cause fallout. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
Fabian Grünbichler
committed by
Thomas Lamprecht
Thomas Lamprecht
parent
31b63708c2
commit
061b9ca666
@ -399,7 +399,8 @@ sub check_volume_access {
|
||||
if ($sid) {
|
||||
my ($vtype, undef, $ownervm) = parse_volname($cfg, $volid);
|
||||
if ($vtype eq 'iso' || $vtype eq 'vztmpl') {
|
||||
# we simply allow access
|
||||
# at least read access to storage
|
||||
$rpcenv->check_any($user, "/storage/$sid", ['Datastore.AllocateSpace', 'Datastore.Audit']);
|
||||
} elsif (defined($ownervm) && defined($vmid) && ($ownervm == $vmid)) {
|
||||
# we are owner - allow access
|
||||
} elsif ($vtype eq 'backup' && $ownervm) {
|
||||
|
||||
Reference in New Issue
Block a user