From 2981cdd4c00d35d6e654197d6e57ef94d8c0ca9f Mon Sep 17 00:00:00 2001 From: Thomas Lamprecht Date: Sat, 4 Jun 2022 15:30:25 +0200 Subject: [PATCH] api: datastore status: use cheaper any_privs_below over can_access_any_namespace Signed-off-by: Thomas Lamprecht --- src/api2/admin/datastore.rs | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/src/api2/admin/datastore.rs b/src/api2/admin/datastore.rs index ca958988..43a54132 100644 --- a/src/api2/admin/datastore.rs +++ b/src/api2/admin/datastore.rs @@ -63,8 +63,8 @@ use proxmox_rest_server::{formatter, WorkerTask}; use crate::api2::backup::optional_ns_param; use crate::api2::node::rrd::create_value_from_rrd; use crate::backup::{ - can_access_any_namespace, check_ns_privs_full, verify_all_backups, verify_backup_dir, - verify_backup_group, verify_filter, ListAccessibleBackupGroups, NS_PRIVS_OK, + check_ns_privs_full, verify_all_backups, verify_backup_dir, verify_backup_group, verify_filter, + ListAccessibleBackupGroups, NS_PRIVS_OK, }; use crate::server::jobstate::Job; @@ -645,13 +645,12 @@ pub fn status( true } else if store_privs & PRIV_DATASTORE_READ != 0 { false // allow at least counts, user can read groups anyway.. - } else if let Ok(ref datastore) = datastore { - if !can_access_any_namespace(Arc::clone(datastore), &auth_id, &user_info) { - return Err(http_err!(FORBIDDEN, "permission check failed")); - } - false } else { - return Err(http_err!(FORBIDDEN, "permission check failed")); // avoid leaking existance info + match user_info.any_privs_below(&auth_id, &["datastore", &store], NS_PRIVS_OK) { + // avoid leaking existance info if users hasn't at least any priv. below + Ok(false) | Err(_) => return Err(http_err!(FORBIDDEN, "permission check failed")), + _ => false, + } }; let datastore = datastore?; // only unwrap no to avoid leaking existance info