fix(xo-server/rest-api): set apiContext

This makes the REST API more closely resemblethe JSON-RPC API and addresses several issues such as the broken _Rolling Pool Update_ pool action. Fixes https://xcp-ng.org/forum/post/82867
vatesfr · Sep 27, 2024 · eb39e14 · eb39e14
1 parent d520e53
commit eb39e14
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 7 deletions.
diff --git a/CHANGELOG.unreleased.md b/CHANGELOG.unreleased.md
@@ -25,6 +25,8 @@
 
 > Users must be able to say: “I had this issue, happy to know it's fixed”
 
+- [REST API] Fix broken _Rolling Pool Update_ pool action [Forum#82867](https://xcp-ng.org/forum/post/82867)
+
 ### Packages to release
 
 > When modifying a package, add it here with its release type.

diff --git a/packages/xo-server/src/xo-mixins/api.mjs b/packages/xo-server/src/xo-mixins/api.mjs
@@ -316,18 +316,30 @@ export default class Api {
       throw new MethodNotFound(name)
     }
 
-    const apiContext = { __proto__: null, connection }
-
+    let user
     const userId = connection.get('user_id', undefined)
     if (userId !== undefined) {
-      const user = await this._app.getUser(userId)
+      user = await this._app.getUser(userId)
+    }
+
+    return this.runWithApiContext(user, () => {
+      this.apiContext.connection = connection
+
+      return this.#callApiMethod(name, method, params)
+    })
+  }
+
+  async runWithApiContext(user, fn) {
+    const apiContext = { __proto__: null }
+
+    if (user !== undefined) {
       apiContext.user = user
       apiContext.permission = user.permission
     } else {
       apiContext.permission = 'none'
     }
 
-    return this.#apiContext.run(apiContext, () => this.#callApiMethod(name, method, params))
+    return this.#apiContext.run(apiContext, fn)
   }
 
   async #callApiMethod(name, method, params) {

diff --git a/packages/xo-server/src/xo-mixins/rest-api.mjs b/packages/xo-server/src/xo-mixins/rest-api.mjs
@@ -461,8 +461,7 @@ export default class RestApi {
       app.authenticateUser({ token: cookies.authenticationToken ?? cookies.token }, { ip }).then(
         ({ user }) => {
           if (user.permission === 'admin') {
-            req.user = user
-            return next()
+            return app.runWithApiContext(user, next)
           }
 
           res.sendStatus(401)
@@ -658,7 +657,7 @@ export default class RestApi {
             params.affinityHost = affinity
             params.installRepository = install?.repository
 
-            const vm = await $xapi.createVm(template, params, undefined, req.user.id)
+            const vm = await $xapi.createVm(template, params, undefined, app.apiContext.user.id)
             $defer.onFailure.call($xapi, 'VM_destroy', vm.$ref)
 
             if (boot) {