From f6db5c5901eaa110fdba45cc0e9563b7d09f74fe Mon Sep 17 00:00:00 2001 From: Max Kofler Date: Wed, 17 Apr 2024 19:18:19 +0200 Subject: [PATCH] Fix issue #16 - Unauthorized access to VM functions --- .../api/namespaces/vAPI_v/vAPI_v_vm.swift | 33 ++++++++++--------- 1 file changed, 18 insertions(+), 15 deletions(-) diff --git a/velocity/api/namespaces/vAPI_v/vAPI_v_vm.swift b/velocity/api/namespaces/vAPI_v/vAPI_v_vm.swift index 803a8bb..ab697f3 100644 --- a/velocity/api/namespaces/vAPI_v/vAPI_v_vm.swift +++ b/velocity/api/namespaces/vAPI_v/vAPI_v_vm.swift @@ -105,16 +105,17 @@ extension VAPI { let c_user = try req.auth.require(VDB.User.self) let request: Structs.V.VM.EFI.PUT.Req = try req.content.decode(Structs.V.VM.EFI.PUT.Req.self) - guard try c_user.has_permission(permission: "velocity.vm.create", group: nil) else { - self.VDebug("\(c_user.info()) tried to create EFI VM: FORBIDDEN") - return try self.error(code: .V_VM_EFI_PUT_PERMISSION) - } - guard let group = try self.db.group_select(gid: request.gid) else { self.VDebug("\(c_user.info()) tried to create EFI VM: GROUP NOT FOUND") return try self.error(code: .V_VM_EFI_PUT_GROUP_NOT_FOUND) } + guard try c_user.has_permission(permission: "velocity.vm.create", group: group) else { + self.VDebug("\(c_user.info()) tried to create EFI VM: FORBIDDEN") + return try self.error(code: .V_VM_EFI_PUT_PERMISSION) + } + + self.VDebug("\(c_user.info()) is creating VM: \(request)") let vminfo = VDB.VM.Info(name: request.name, @@ -209,16 +210,17 @@ extension VAPI { let c_user = try req.auth.require(VDB.User.self) let request: Structs.V.VM.STATE.POST.Req = try req.content.decode(Structs.V.VM.STATE.POST.Req.self) - guard try c_user.has_permission(permission: "velocity.vm.view", group: nil) else { - self.VDebug("\(c_user.info()) tried to retrieve VM state: FORBIDDEN") - return try self.error(code: .V_VM_STATE_POST_PERMISSION) - } - guard let vm = self.vm_manager.get_vm(vmid: request.vmid) else { self.VDebug("\(c_user.info()) tried to retrieve VM state: VM NOT FOUND") return try self.error(code: .V_VM_STATE_POST_VM_NOT_FOUND) } + guard try c_user.has_permission(permission: "velocity.vm.view", group: vm.vvm.group) else { + self.VDebug("\(c_user.info()) tried to retrieve VM state: FORBIDDEN") + return try self.error(code: .V_VM_STATE_POST_PERMISSION) + } + + return try self.response(Structs.V.VM.STATE.Res(vmid: vm.vvm.vmid, state: vm.get_state().rawValue)) } @@ -230,16 +232,17 @@ extension VAPI { let c_user = try req.auth.require(VDB.User.self) let request: Structs.V.VM.STATE.PUT.Req = try req.content.decode(Structs.V.VM.STATE.PUT.Req.self) - guard try c_user.has_permission(permission: "velocity.vm.state", group: nil) else { - self.VDebug("\(c_user.info()) tried to change VM state: FORBIDDEN") - return try self.error(code: .V_VM_STATE_PUT_PERMISSION) - } - guard let vm = self.vm_manager.get_vm(vmid: request.vmid) else { self.VDebug("\(c_user.info()) tried to retrieve VM state: VM NOT FOUND") return try self.error(code: .V_VM_STATE_POST_VM_NOT_FOUND) } + guard try c_user.has_permission(permission: "velocity.vm.state", group: vm.vvm.group) else { + self.VDebug("\(c_user.info()) tried to change VM state: FORBIDDEN") + return try self.error(code: .V_VM_STATE_PUT_PERMISSION) + } + + let res = try vm.request_state_transition(state: request.state, force: request.force) if res {