Skip to content

Commit

Permalink
Fix issue #16 - Unauthorized access to VM functions
Browse files Browse the repository at this point in the history
  • Loading branch information
@maxkofler
maxkofler committed Apr 17, 2024
1 parent 548e711 commit f6db5c5
Showing 1 changed file with 18 additions and 15 deletions.
33 changes: 18 additions & 15 deletions velocity/api/namespaces/vAPI_v/vAPI_v_vm.swift
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,16 +105,17 @@ extension VAPI {
let c_user = try req.auth.require(VDB.User.self)
let request: Structs.V.VM.EFI.PUT.Req = try req.content.decode(Structs.V.VM.EFI.PUT.Req.self)

guard try c_user.has_permission(permission: "velocity.vm.create", group: nil) else {
self.VDebug("\(c_user.info()) tried to create EFI VM: FORBIDDEN")
return try self.error(code: .V_VM_EFI_PUT_PERMISSION)
}

guard let group = try self.db.group_select(gid: request.gid) else {
self.VDebug("\(c_user.info()) tried to create EFI VM: GROUP NOT FOUND")
return try self.error(code: .V_VM_EFI_PUT_GROUP_NOT_FOUND)
}

guard try c_user.has_permission(permission: "velocity.vm.create", group: group) else {
self.VDebug("\(c_user.info()) tried to create EFI VM: FORBIDDEN")
return try self.error(code: .V_VM_EFI_PUT_PERMISSION)
}


self.VDebug("\(c_user.info()) is creating VM: \(request)")

let vminfo = VDB.VM.Info(name: request.name,
Expand Down Expand Up @@ -209,16 +210,17 @@ extension VAPI {
let c_user = try req.auth.require(VDB.User.self)
let request: Structs.V.VM.STATE.POST.Req = try req.content.decode(Structs.V.VM.STATE.POST.Req.self)

guard try c_user.has_permission(permission: "velocity.vm.view", group: nil) else {
self.VDebug("\(c_user.info()) tried to retrieve VM state: FORBIDDEN")
return try self.error(code: .V_VM_STATE_POST_PERMISSION)
}

guard let vm = self.vm_manager.get_vm(vmid: request.vmid) else {
self.VDebug("\(c_user.info()) tried to retrieve VM state: VM NOT FOUND")
return try self.error(code: .V_VM_STATE_POST_VM_NOT_FOUND)
}

guard try c_user.has_permission(permission: "velocity.vm.view", group: vm.vvm.group) else {
self.VDebug("\(c_user.info()) tried to retrieve VM state: FORBIDDEN")
return try self.error(code: .V_VM_STATE_POST_PERMISSION)
}


return try self.response(Structs.V.VM.STATE.Res(vmid: vm.vvm.vmid, state: vm.get_state().rawValue))
}

Expand All @@ -230,16 +232,17 @@ extension VAPI {
let c_user = try req.auth.require(VDB.User.self)
let request: Structs.V.VM.STATE.PUT.Req = try req.content.decode(Structs.V.VM.STATE.PUT.Req.self)

guard try c_user.has_permission(permission: "velocity.vm.state", group: nil) else {
self.VDebug("\(c_user.info()) tried to change VM state: FORBIDDEN")
return try self.error(code: .V_VM_STATE_PUT_PERMISSION)
}

guard let vm = self.vm_manager.get_vm(vmid: request.vmid) else {
self.VDebug("\(c_user.info()) tried to retrieve VM state: VM NOT FOUND")
return try self.error(code: .V_VM_STATE_POST_VM_NOT_FOUND)
}

guard try c_user.has_permission(permission: "velocity.vm.state", group: vm.vvm.group) else {
self.VDebug("\(c_user.info()) tried to change VM state: FORBIDDEN")
return try self.error(code: .V_VM_STATE_PUT_PERMISSION)
}


let res = try vm.request_state_transition(state: request.state, force: request.force)

if res {
Expand Down

0 comments on commit f6db5c5

Please sign in to comment.