and regular users to read all their own tasks as well as those of their associated tokens.
Signed-off-by: Fabian Grünbichler <[email protected]> --- PVE/API2/Tasks.pm | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/PVE/API2/Tasks.pm b/PVE/API2/Tasks.pm index 5dc6a4ad..8f6ab603 100644 --- a/PVE/API2/Tasks.pm +++ b/PVE/API2/Tasks.pm @@ -24,6 +24,18 @@ my $convert_token_task = sub { } }; +my $check_task_user = sub { + my ($task, $user) = @_; + + if ($task->{tokenid}) { + my $fulltoken = PVE::AccessControl::join_tokenid($task->{user}, $task->{tokenid}); + # token only sees token tasks, user sees user + token tasks + return $user eq $fulltoken || $user eq $task->{user}; + } else { + return $user eq $task->{user}; + } +}; + __PACKAGE__->register_method({ name => 'node_tasks', path => '', @@ -126,7 +138,7 @@ __PACKAGE__->register_method({ my $task = shift; return 1 if $userfilter && $task->{user} !~ m/\Q$userfilter\E/i; - return 1 if !($auditor || $user eq $task->{user}); + return 1 if !($auditor || $check_task_user->($task, $user)); return 1 if $typefilter && $task->{type} ne $typefilter; @@ -253,7 +265,7 @@ __PACKAGE__->register_method({ $convert_token_task->($task); - if ($user ne $task->{user}) { + if (!$check_task_user->($task, $user)) { $rpcenv->check($user, "/nodes/$node", [ 'Sys.Modify' ]); } @@ -322,7 +334,7 @@ __PACKAGE__->register_method({ $convert_token_task->($task); - if ($user ne $task->{user}) { + if (!$check_task_user->($task, $user)) { $rpcenv->check($user, "/nodes/$node", [ 'Sys.Audit' ]); } @@ -380,7 +392,7 @@ __PACKAGE__->register_method({ $convert_token_task->($task); - if ($user ne $task->{user}) { + if (!$check_task_user->($task, $user)) { $rpcenv->check($user, "/nodes/$node", [ 'Sys.Audit' ]); } -- 2.20.1 _______________________________________________ pve-devel mailing list [email protected] https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
