From 75b377219dc3a9e7cb39b5072e0c2f85cacce46b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
Date: Tue, 24 May 2022 11:12:16 +0200
Subject: [PATCH] api: backup env: use check_privs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

it includes the path, which might be helpful when users are switching to
using namespaces. datastore and namespace lookup happens after, so this
doesn't leak anything.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 src/api2/backup/mod.rs | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/src/api2/backup/mod.rs b/src/api2/backup/mod.rs
index d484cdb4..f5e5b721 100644
--- a/src/api2/backup/mod.rs
+++ b/src/api2/backup/mod.rs
@@ -9,7 +9,7 @@ use hyper::{Body, Request, Response, StatusCode};
 use serde::Deserialize;
 use serde_json::{json, Value};
 
-use proxmox_router::list_subdirs_api_method;
+use proxmox_router::{http_err, list_subdirs_api_method};
 use proxmox_router::{
     ApiHandler, ApiMethod, ApiResponseFuture, Permission, Router, RpcEnvironment, SubdirMap,
 };
@@ -90,10 +90,14 @@ fn upgrade_to_backup_protocol(
 
         let user_info = CachedUserInfo::new()?;
 
-        let privs = user_info.lookup_privs(&auth_id, &store_with_ns.acl_path());
-        if privs & PRIV_DATASTORE_BACKUP == 0 {
-            proxmox_router::http_bail!(FORBIDDEN, "permission check failed");
-        }
+        user_info
+            .check_privs(
+                &auth_id,
+                &store_with_ns.acl_path(),
+                PRIV_DATASTORE_BACKUP,
+                false,
+            )
+            .map_err(|err| http_err!(FORBIDDEN, "{err}"))?;
 
         let datastore = DataStore::lookup_datastore(&store, Some(Operation::Write))?;