From 3e4994a54f81ad86ee91479cec0f8498908b57f9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
Date: Tue, 24 May 2022 11:46:20 +0200
Subject: [PATCH] api: tape: use check_privs instead of manual lookup
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

these all contain the path in the error message already, so no (new)
potential for leakage..

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 src/api2/tape/backup.rs  | 15 +++------------
 src/api2/tape/restore.rs | 10 ++--------
 2 files changed, 5 insertions(+), 20 deletions(-)

diff --git a/src/api2/tape/backup.rs b/src/api2/tape/backup.rs
index ba08994f..02bad990 100644
--- a/src/api2/tape/backup.rs
+++ b/src/api2/tape/backup.rs
@@ -47,20 +47,11 @@ fn check_backup_permission(
 ) -> Result<(), Error> {
     let user_info = CachedUserInfo::new()?;
 
-    let privs = user_info.lookup_privs(auth_id, &["datastore", store]);
-    if (privs & PRIV_DATASTORE_READ) == 0 {
-        bail!("no permissions on /datastore/{}", store);
-    }
+    user_info.check_privs(auth_id, &["datastore", store], PRIV_DATASTORE_READ, false)?;
 
-    let privs = user_info.lookup_privs(auth_id, &["tape", "drive", drive]);
-    if (privs & PRIV_TAPE_WRITE) == 0 {
-        bail!("no permissions on /tape/drive/{}", drive);
-    }
+    user_info.check_privs(auth_id, &["tape", "drive", drive], PRIV_TAPE_WRITE, false)?;
 
-    let privs = user_info.lookup_privs(auth_id, &["tape", "pool", pool]);
-    if (privs & PRIV_TAPE_WRITE) == 0 {
-        bail!("no permissions on /tape/pool/{}", pool);
-    }
+    user_info.check_privs(auth_id, &["tape", "pool", pool], PRIV_TAPE_WRITE, false)?;
 
     Ok(())
 }
diff --git a/src/api2/tape/restore.rs b/src/api2/tape/restore.rs
index 0df35922..d84e1357 100644
--- a/src/api2/tape/restore.rs
+++ b/src/api2/tape/restore.rs
@@ -361,10 +361,7 @@ pub fn restore(
         }
     }
 
-    let privs = user_info.lookup_privs(&auth_id, &["tape", "drive", &drive]);
-    if (privs & PRIV_TAPE_READ) == 0 {
-        bail!("no permissions on /tape/drive/{}", drive);
-    }
+    user_info.check_privs(&auth_id, &["tape", "drive", &drive], PRIV_TAPE_READ, false)?;
 
     let media_set_uuid = media_set.parse()?;
 
@@ -376,10 +373,7 @@ pub fn restore(
 
     let pool = inventory.lookup_media_set_pool(&media_set_uuid)?;
 
-    let privs = user_info.lookup_privs(&auth_id, &["tape", "pool", &pool]);
-    if (privs & PRIV_TAPE_READ) == 0 {
-        bail!("no permissions on /tape/pool/{}", pool);
-    }
+    user_info.check_privs(&auth_id, &["tape", "pool", &pool], PRIV_TAPE_READ, false)?;
 
     let (drive_config, _digest) = pbs_config::drive::config()?;