From 4f404a59ec31c53606a8352ad209c38954610886 Mon Sep 17 00:00:00 2001
From: Andrew Walker <awalker@ixsystems.com>
Date: Tue, 21 Jan 2025 11:55:13 -0600
Subject: [PATCH] Raise ValidationError on perm change for readonly paths
 (#15452)

This commit introduces additional validation to check whether the
path on which user is trying to change permissions is set to
readonly. This appears to be a fairly common occurance with our
SCALE userbase and so we need to cleanly explain why they can't
do this.
---
 src/middlewared/middlewared/plugins/filesystem_/acl.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/middlewared/middlewared/plugins/filesystem_/acl.py b/src/middlewared/middlewared/plugins/filesystem_/acl.py
index 4d4955932dcd4..86b9823dfca51 100644
--- a/src/middlewared/middlewared/plugins/filesystem_/acl.py
+++ b/src/middlewared/middlewared/plugins/filesystem_/acl.py
@@ -84,6 +84,13 @@ def _common_perm_path_validate(self, schema, data, verrors, pool_mp_ok=False):
                 f'{schema}.path',
                 'Path component for is currently encrypted and locked'
             )
+        else:
+            statfs_flags = self.middleware.call_sync('filesystem.statfs', path)['flags']
+            if 'RO' in statfs_flags:
+                verrors.add(
+                    f'{schema}.path',
+                    f'{path}: dataset underlying path has the readonly property enabled.'
+                )
 
         return loc