From 3e1a618e3497f8c333d4415008f31805a6560ae0 Mon Sep 17 00:00:00 2001
From: Fabian Ebner <f.ebner@proxmox.com>
Date: Wed, 30 Mar 2022 12:24:29 +0200
Subject: [PATCH] check volume access: always allow with Datastore.Allocate
 privilege
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Such users are supposed to be administrators of the storage, but
previously, access to backups was not allowed when not also having
VM.Backup.

Suggested-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Signed-off-by: Fabian Ebner <f.ebner@proxmox.com>
---
 PVE/Storage.pm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/PVE/Storage.pm b/PVE/Storage.pm
index 6112991..0349564 100755
--- a/PVE/Storage.pm
+++ b/PVE/Storage.pm
@@ -477,6 +477,8 @@ sub check_volume_access {
 
     my ($sid, $volname) = parse_volume_id($volid, 1);
     if ($sid) {
+	return if $rpcenv->check($user, "/storage/$sid", ['Datastore.Allocate'], 1);
+
 	my ($vtype, undef, $ownervm) = parse_volname($cfg, $volid);
 	if ($vtype eq 'iso' || $vtype eq 'vztmpl') {
 	    # require at least read access to storage, (custom) templates/ISOs could be sensitive
@@ -487,8 +489,7 @@ sub check_volume_access {
 	    $rpcenv->check($user, "/storage/$sid", ['Datastore.AllocateSpace']);
 	    $rpcenv->check($user, "/vms/$ownervm", ['VM.Backup']);
 	} else {
-	    # allow if we are Datastore administrator
-	    $rpcenv->check($user, "/storage/$sid", ['Datastore.Allocate']);
+	    die "missing privileges to access $volid\n";
 	}
     } else {
 	die "Only root can pass arbitrary filesystem paths."