[pve-devel] applied-series: [PATCH-SERIES qemu-server] clone_disk-related improvments

with following addition on top (shown here with `-w`), to repeat even more of the checks after forking/locking: diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm index 59e083eb..a359d096 100644 --- a/PVE/API2/Qemu.pm +++ b/PVE/API2/Qemu.pm @@ -3046,7 +3046,6 @@ __PACKAGE__->register_method({

[pve-devel] [PATCH v1 access-control 2/5] tfa: allow superusers to edit root@pam tfa

users with the SU privilege are able to override the existing check for 'root@pam' when calling tfa-related endpoints of the API. Signed-off-by: Oguz Bektas --- src/PVE/API2/TFA.pm | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/PVE/API2/TFA.pm b/src/PVE/API2/TFA.p

[pve-devel] [PATCH v1 access-control++ 0/5] SuperUser privilege

"SuperUser" (henceforth referred as SU) privilege allows to give root-only permissions to API users, enabling them to perform privileged actions on behalf of root@pam. this privilege is enabled by default for "root@pam", and also mapped inside "SuperAdministrator" (referred as SA) changes from RF

[pve-devel] [PATCH v1 container 3/5] fix #2582: api: add checks for 'SuperUser' privilege for root-only options

this way we can allow non-root users to act as a SU on specific root-only API paths by giving them the built-in SA role or a custom role with the SU privilege included. Signed-off-by: Oguz Bektas --- src/PVE/API2/LXC.pm| 13 ++--- src/PVE/API2/LXC/Status.pm | 8 ++-- src/PVE

[pve-devel] [PATCH v1 access-control 1/5] add default "SuperAdministrator" role with the new "SuperUser" privilege

we map all valid privileges to the "Administrator" role except "SuperUser". "SuperAdministrator"/SA gets all valid privileges (including the new "SuperUser"/SU priv), and 'root@pam' is assigned as an SA by default. Signed-off-by: Oguz Bektas --- src/PVE/AccessControl.pm | 9 ++--- src/PVE/

[pve-devel] [PATCH v1 manager 4/5] change 'root@pam' checks with 'SuperUser' capability check

'root@pam' has the privilege by default (since it's an SA), so we can drop the string comparisons all around and check that privilege instead when deciding to enable/disable buttons or views Signed-off-by: Oguz Bektas --- www/manager6/Utils.js | 3 ++- www/manager6/dc/Config.js | 2

[pve-devel] [PATCH v1 qemu-server 5/5] add SuperUser privilege checks for root-only options

analogous to the changes in container. we now allow users with SU privilege to edit real device configurations, provided that they also have the necessary VM privileges. note that root@pam is still able to do everything as usual --- PVE/API2/Qemu.pm | 119 +--

Re: [pve-devel] [PATCH container] fix #3635: fix pool permission checks on create

On 10/22/21 08:44, Dominik Csapak wrote: we do not need Permissions.Modify on the pool, so remove it like we did in qemu-server 4fc5242 ("fix pool permission checks on create") Signed-off-by: Dominik Csapak --- src/PVE/API2/LXC.pm | 1 - 1 file changed, 1 deletion(-) diff --git a/src/PVE/A