From eb39e149723b2fb0e19c22931348485bead654ab Mon Sep 17 00:00:00 2001
From: Julien Fontanet <julien.fontanet@isonoe.net>
Date: Thu, 26 Sep 2024 09:25:21 +0200
Subject: [PATCH] fix(xo-server/rest-api): set apiContext

This makes the REST API more closely resemblethe JSON-RPC API and addresses
several issues such as the broken _Rolling Pool Update_ pool action.

Fixes https://xcp-ng.org/forum/post/82867
---
 CHANGELOG.unreleased.md                       |  2 ++
 packages/xo-server/src/xo-mixins/api.mjs      | 20 +++++++++++++++----
 packages/xo-server/src/xo-mixins/rest-api.mjs |  5 ++---
 3 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG.unreleased.md b/CHANGELOG.unreleased.md
index efed7e325a6..1f96a0d7d84 100644
--- a/CHANGELOG.unreleased.md
+++ b/CHANGELOG.unreleased.md
@@ -25,6 +25,8 @@
 
 > Users must be able to say: “I had this issue, happy to know it's fixed”
 
+- [REST API] Fix broken _Rolling Pool Update_ pool action [Forum#82867](https://xcp-ng.org/forum/post/82867)
+
 ### Packages to release
 
 > When modifying a package, add it here with its release type.
diff --git a/packages/xo-server/src/xo-mixins/api.mjs b/packages/xo-server/src/xo-mixins/api.mjs
index 901c68d6400..b49d55a09df 100644
--- a/packages/xo-server/src/xo-mixins/api.mjs
+++ b/packages/xo-server/src/xo-mixins/api.mjs
@@ -316,18 +316,30 @@ export default class Api {
       throw new MethodNotFound(name)
     }
 
-    const apiContext = { __proto__: null, connection }
-
+    let user
     const userId = connection.get('user_id', undefined)
     if (userId !== undefined) {
-      const user = await this._app.getUser(userId)
+      user = await this._app.getUser(userId)
+    }
+
+    return this.runWithApiContext(user, () => {
+      this.apiContext.connection = connection
+
+      return this.#callApiMethod(name, method, params)
+    })
+  }
+
+  async runWithApiContext(user, fn) {
+    const apiContext = { __proto__: null }
+
+    if (user !== undefined) {
       apiContext.user = user
       apiContext.permission = user.permission
     } else {
       apiContext.permission = 'none'
     }
 
-    return this.#apiContext.run(apiContext, () => this.#callApiMethod(name, method, params))
+    return this.#apiContext.run(apiContext, fn)
   }
 
   async #callApiMethod(name, method, params) {
diff --git a/packages/xo-server/src/xo-mixins/rest-api.mjs b/packages/xo-server/src/xo-mixins/rest-api.mjs
index 0d51c5b3824..6e43f569378 100644
--- a/packages/xo-server/src/xo-mixins/rest-api.mjs
+++ b/packages/xo-server/src/xo-mixins/rest-api.mjs
@@ -461,8 +461,7 @@ export default class RestApi {
       app.authenticateUser({ token: cookies.authenticationToken ?? cookies.token }, { ip }).then(
         ({ user }) => {
           if (user.permission === 'admin') {
-            req.user = user
-            return next()
+            return app.runWithApiContext(user, next)
           }
 
           res.sendStatus(401)
@@ -658,7 +657,7 @@ export default class RestApi {
             params.affinityHost = affinity
             params.installRepository = install?.repository
 
-            const vm = await $xapi.createVm(template, params, undefined, req.user.id)
+            const vm = await $xapi.createVm(template, params, undefined, app.apiContext.user.id)
             $defer.onFailure.call($xapi, 'VM_destroy', vm.$ref)
 
             if (boot) {