fix #5574: api: fix permission check for 'spice' usb port

With the last change in the permission check, I accidentally broke the
check for 'spice' host value, since in the if/elsif/else this will fall
through to the else case which was only intended for when neither 'host'
nor 'mapping' was set.

This made 'spice' only settable by root@pam since there we return early.

To fix this, move the spice check into the 'host' branch, but only error
out in case it's not spice.

Fixes: e3971865 (enable cluster mapped USB devices for guests)
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>

diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index efe69b5c88aa283af74d9e5eedc5ae21bb443e68..a3313f3a9ab75bde91218f9346a5b708fa77eee8 100644 (file)
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -661,8 +661,12 @@ my sub check_usb_perm {
     $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.HWType']);
 
     my $device = PVE::JSONSchema::parse_property_string('pve-qm-usb', $value);
-    if ($device->{host} && $device->{host} !~ m/^spice$/i) {
-       die "only root can set '$opt' config for real devices\n";
+    if ($device->{host}) {
+       if ($device->{host} =~ m/^spice$/i) {
+           # already checked generic permission above
+       } else {
+           die "only root can set '$opt' config for real devices\n";
+       }
     } elsif ($device->{mapping}) {
        $rpcenv->check_full($authuser, "/mapping/usb/$device->{mapping}", ['Mapping.Use']);
     } else {