[pve-devel] [PATCH access-control 1/2] api: permissions: allow users to view their own permissions

Tue, 05 Nov 2024 00:37:12 -0800 

even when specifying an explicit userid matching their own.

Signed-off-by: Fabian Grünbichler <f.gruenbich...@proxmox.com>
---
 src/PVE/API2/AccessControl.pm | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/PVE/API2/AccessControl.pm b/src/PVE/API2/AccessControl.pm
index c55a7b3..157a5ee 100644
--- a/src/PVE/API2/AccessControl.pm
+++ b/src/PVE/API2/AccessControl.pm
@@ -486,14 +486,14 @@ __PACKAGE__->register_method({
        my ($param) = @_;
 
        my $rpcenv = PVE::RPCEnvironment::get();
+       my $authid = $rpcenv->get_user();
 
        my $userid = $param->{userid};
-       if (defined($userid)) {
+       $userid = $authid if !defined($userid);
+
+       if ($userid ne $authid) {
            $rpcenv->check($rpcenv->get_user(), '/access', ['Sys.Audit']);
-       } else {
-           $userid = $rpcenv->get_user();
        }
-
        my $res;
 
        if (my $path = $param->{path}) {
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Reply via email to