Users with permissions for some guests can already start a task for each sequentially.
Signed-off-by: Fiona Ebner <[email protected]> --- PVE/API2/Nodes.pm | 39 ++++++++++++++++++++++++++++++++++++--- 1 file changed, 36 insertions(+), 3 deletions(-) diff --git a/PVE/API2/Nodes.pm b/PVE/API2/Nodes.pm index 47c2d741..c9bf2831 100644 --- a/PVE/API2/Nodes.pm +++ b/PVE/API2/Nodes.pm @@ -1756,7 +1756,9 @@ __PACKAGE__->register_method ({ method => 'POST', protected => 1, permissions => { - check => ['perm', '/', [ 'VM.PowerMgmt' ]], + description => "The 'VM.PowerMgmt' permission is required on '/' or on '/vms/<ID>' for " + ."each ID passed via the 'vms' parameter.", + user => 'all', }, proxyto => 'node', description => "Start all VMs and containers located on this node (by default only those with onboot=1).", @@ -1786,6 +1788,15 @@ __PACKAGE__->register_method ({ my $rpcenv = PVE::RPCEnvironment::get(); my $authuser = $rpcenv->get_user(); + if (!$rpcenv->check($authuser, "/", [ 'VM.PowerMgmt' ], 1)) { + my @vms = PVE::Tools::split_list($param->{vms}); + if (scalar(@vms) > 0) { + $rpcenv->check($authuser, "/vms/$_", [ 'VM.PowerMgmt' ]) for @vms; + } else { + raise_perm_exc("/, VM.PowerMgmt"); + } + } + my $nodename = $param->{node}; $nodename = PVE::INotify::nodename() if $nodename eq 'localhost'; @@ -1891,7 +1902,9 @@ __PACKAGE__->register_method ({ method => 'POST', protected => 1, permissions => { - check => ['perm', '/', [ 'VM.PowerMgmt' ]], + description => "The 'VM.PowerMgmt' permission is required on '/' or on '/vms/<ID>' for " + ."each ID passed via the 'vms' parameter.", + user => 'all', }, proxyto => 'node', description => "Stop all VMs and Containers.", @@ -1930,6 +1943,15 @@ __PACKAGE__->register_method ({ my $rpcenv = PVE::RPCEnvironment::get(); my $authuser = $rpcenv->get_user(); + if (!$rpcenv->check($authuser, "/", [ 'VM.PowerMgmt' ], 1)) { + my @vms = PVE::Tools::split_list($param->{vms}); + if (scalar(@vms) > 0) { + $rpcenv->check($authuser, "/vms/$_", [ 'VM.PowerMgmt' ]) for @vms; + } else { + raise_perm_exc("/, VM.PowerMgmt"); + } + } + my $nodename = $param->{node}; $nodename = PVE::INotify::nodename() if $nodename eq 'localhost'; @@ -2056,7 +2078,9 @@ __PACKAGE__->register_method ({ proxyto => 'node', protected => 1, permissions => { - check => ['perm', '/', [ 'VM.Migrate' ]], + description => "The 'VM.Migrate' permission is required on '/' or on '/vms/<ID>' for each " + ."ID passed via the 'vms' parameter.", + user => 'all', }, description => "Migrate all VMs and Containers.", parameters => { @@ -2092,6 +2116,15 @@ __PACKAGE__->register_method ({ my $rpcenv = PVE::RPCEnvironment::get(); my $authuser = $rpcenv->get_user(); + if (!$rpcenv->check($authuser, "/", [ 'VM.Migrate' ], 1)) { + my @vms = PVE::Tools::split_list($param->{vms}); + if (scalar(@vms) > 0) { + $rpcenv->check($authuser, "/vms/$_", [ 'VM.Migrate' ]) for @vms; + } else { + raise_perm_exc("/, VM.Migrate"); + } + } + my $nodename = $param->{node}; $nodename = PVE::INotify::nodename() if $nodename eq 'localhost'; -- 2.30.2 _______________________________________________ pve-devel mailing list [email protected] https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
