From 5aa4ff8f4dce9102491ab28275f99f5befdcf6f4 Mon Sep 17 00:00:00 2001
From: Thomas Hipp <thomas.hipp@canonical.com>
Date: Fri, 7 Jul 2023 18:53:01 +0200
Subject: [PATCH] lxd: Check project permissions when importing from backup

Fixes #11958

Signed-off-by: Thomas Hipp <thomas.hipp@canonical.com>
---
 lxd/instances_post.go | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/lxd/instances_post.go b/lxd/instances_post.go
index 52b7e3dd4ed5..d470ea3a781e 100644
--- a/lxd/instances_post.go
+++ b/lxd/instances_post.go
@@ -627,6 +627,21 @@ func createFromBackup(s *state.State, r *http.Request, projectName string, data
 		return response.BadRequest(err)
 	}
 
+	// Check project permissions.
+	err = s.DB.Cluster.Transaction(s.ShutdownCtx, func(ctx context.Context, tx *db.ClusterTx) error {
+		req := api.InstancesPost{
+			InstancePut: bInfo.Config.Container.InstancePut,
+			Name:        bInfo.Name,
+			Source:      api.InstanceSource{}, // Only relevant for "copy" or "migration", but may not be nil.
+			Type:        api.InstanceType(bInfo.Config.Container.Type),
+		}
+
+		return project.AllowInstanceCreation(tx, projectName, req)
+	})
+	if err != nil {
+		return response.SmartError(err)
+	}
+
 	bInfo.Project = projectName
 
 	// Override pool.