]>
Commit | Line | Data |
---|---|---|
2c3a6c0a DM |
1 | package PVE::API2::Group; |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | use PVE::Cluster qw (cfs_read_file cfs_write_file); | |
6 | use PVE::AccessControl; | |
7 | ||
8 | use PVE::SafeSyslog; | |
9 | ||
10 | use Data::Dumper; # fixme: remove | |
11 | ||
12 | use PVE::RESTHandler; | |
13 | ||
14 | use base qw(PVE::RESTHandler); | |
15 | ||
16 | my $extract_group_data = sub { | |
17 | my ($data, $full) = @_; | |
18 | ||
19 | my $res = {}; | |
20 | ||
21 | $res->{comment} = $data->{comment} if defined($data->{comment}); | |
22 | ||
23 | return $res if !$full; | |
24 | ||
25 | $res->{users} = $data->{users} ? [ keys %{$data->{users}} ] : []; | |
26 | ||
27 | return $res; | |
28 | }; | |
29 | ||
30 | # fixme: index should return more/all attributes? | |
31 | __PACKAGE__->register_method ({ | |
32 | name => 'index', | |
33 | path => '', | |
34 | method => 'GET', | |
35 | description => "Group index.", | |
96919234 | 36 | permissions => { |
19f60b5e | 37 | description => "The returned list is restricted to groups where you have 'User.Allocate' or 'Sys.Audit' permissions on '/access', or 'User.Allocate' on /access/groups/<group>.", |
96919234 DM |
38 | user => 'all', |
39 | }, | |
2c3a6c0a DM |
40 | parameters => { |
41 | additionalProperties => 0, | |
42 | properties => {}, | |
43 | }, | |
44 | returns => { | |
45 | type => 'array', | |
46 | items => { | |
47 | type => "object", | |
48 | properties => { | |
49 | groupid => { type => 'string' }, | |
50 | }, | |
51 | }, | |
52 | links => [ { rel => 'child', href => "{groupid}" } ], | |
53 | }, | |
54 | code => sub { | |
55 | my ($param) = @_; | |
56 | ||
57 | my $res = []; | |
58 | ||
96919234 | 59 | my $rpcenv = PVE::RPCEnvironment::get(); |
2c3a6c0a | 60 | my $usercfg = cfs_read_file("user.cfg"); |
96919234 DM |
61 | my $authuser = $rpcenv->get_user(); |
62 | ||
19f60b5e | 63 | my $privs = [ 'User.Allocate', 'Sys.Audit' ]; |
96919234 | 64 | my $allow = $rpcenv->check_any($authuser, "/access", $privs, 1); |
4bc17477 | 65 | syslog("info", "TEST $allow"); |
96919234 | 66 | my $allowed_groups = $rpcenv->filter_groups($authuser, $privs, 1); |
2c3a6c0a DM |
67 | |
68 | foreach my $group (keys %{$usercfg->{groups}}) { | |
96919234 | 69 | next if !($allow || $allowed_groups->{$group}); |
2c3a6c0a DM |
70 | my $entry = &$extract_group_data($usercfg->{groups}->{$group}); |
71 | $entry->{groupid} = $group; | |
72 | push @$res, $entry; | |
73 | } | |
74 | ||
75 | return $res; | |
76 | }}); | |
77 | ||
78 | __PACKAGE__->register_method ({ | |
79 | name => 'create_group', | |
80 | protected => 1, | |
81 | path => '', | |
82 | method => 'POST', | |
96919234 DM |
83 | permissions => { |
84 | check => ['perm', '/access', ['Sys.Modify']], | |
85 | }, | |
2c3a6c0a DM |
86 | description => "Create new group.", |
87 | parameters => { | |
88 | additionalProperties => 0, | |
89 | properties => { | |
90 | groupid => { type => 'string', format => 'pve-groupid' }, | |
91 | comment => { type => 'string', optional => 1 }, | |
92 | }, | |
93 | }, | |
94 | returns => { type => 'null' }, | |
95 | code => sub { | |
96 | my ($param) = @_; | |
97 | ||
98 | PVE::AccessControl::lock_user_config( | |
99 | sub { | |
100 | ||
101 | my $usercfg = cfs_read_file("user.cfg"); | |
102 | ||
103 | my $group = $param->{groupid}; | |
104 | ||
105 | die "group '$group' already exists\n" | |
106 | if $usercfg->{groups}->{$group}; | |
107 | ||
108 | $usercfg->{groups}->{$group} = { users => {} }; | |
109 | ||
110 | $usercfg->{groups}->{$group}->{comment} = $param->{comment} if $param->{comment}; | |
111 | ||
112 | ||
113 | cfs_write_file("user.cfg", $usercfg); | |
114 | }, "create group failed"); | |
115 | ||
116 | return undef; | |
117 | }}); | |
118 | ||
119 | __PACKAGE__->register_method ({ | |
120 | name => 'update_group', | |
121 | protected => 1, | |
122 | path => '{groupid}', | |
123 | method => 'PUT', | |
96919234 DM |
124 | permissions => { |
125 | check => ['perm', '/access', ['Sys.Modify']], | |
126 | }, | |
2c3a6c0a DM |
127 | description => "Update group data.", |
128 | parameters => { | |
129 | additionalProperties => 0, | |
130 | properties => { | |
131 | # fixme: set/delete members | |
132 | groupid => { type => 'string', format => 'pve-groupid' }, | |
133 | comment => { type => 'string', optional => 1 }, | |
134 | }, | |
135 | }, | |
136 | returns => { type => 'null' }, | |
137 | code => sub { | |
138 | my ($param) = @_; | |
139 | ||
140 | PVE::AccessControl::lock_user_config( | |
141 | sub { | |
142 | ||
143 | my $usercfg = cfs_read_file("user.cfg"); | |
144 | ||
145 | my $group = $param->{groupid}; | |
146 | ||
147 | my $data = $usercfg->{groups}->{$group}; | |
148 | ||
149 | die "group '$group' does not exist\n" | |
150 | if !$data; | |
151 | ||
152 | $data->{comment} = $param->{comment} if $param->{comment}; | |
153 | ||
154 | cfs_write_file("user.cfg", $usercfg); | |
155 | }, "create group failed"); | |
156 | ||
157 | return undef; | |
158 | }}); | |
159 | ||
160 | # fixme: return format! | |
161 | __PACKAGE__->register_method ({ | |
162 | name => 'read_group', | |
163 | path => '{groupid}', | |
164 | method => 'GET', | |
96919234 DM |
165 | permissions => { |
166 | check => ['perm', '/access', ['Sys.Audit']], | |
167 | }, | |
2c3a6c0a DM |
168 | description => "Get group configuration.", |
169 | parameters => { | |
170 | additionalProperties => 0, | |
171 | properties => { | |
172 | groupid => { type => 'string', format => 'pve-groupid' }, | |
173 | }, | |
174 | }, | |
175 | returns => {}, | |
176 | code => sub { | |
177 | my ($param) = @_; | |
178 | ||
179 | my $group = $param->{groupid}; | |
180 | ||
181 | my $usercfg = cfs_read_file("user.cfg"); | |
182 | ||
183 | my $data = $usercfg->{groups}->{$group}; | |
184 | ||
185 | die "group '$group' does not exist\n" if !$data; | |
186 | ||
187 | return &$extract_group_data($data, 1); | |
188 | }}); | |
189 | ||
190 | ||
191 | __PACKAGE__->register_method ({ | |
192 | name => 'delete_group', | |
193 | protected => 1, | |
194 | path => '{groupid}', | |
195 | method => 'DELETE', | |
96919234 DM |
196 | permissions => { |
197 | check => ['perm', '/access', ['Sys.Modify']], | |
198 | }, | |
2c3a6c0a DM |
199 | description => "Delete group.", |
200 | parameters => { | |
201 | additionalProperties => 0, | |
202 | properties => { | |
203 | groupid => { type => 'string' , format => 'pve-groupid' }, | |
204 | } | |
205 | }, | |
206 | returns => { type => 'null' }, | |
207 | code => sub { | |
208 | my ($param) = @_; | |
209 | ||
210 | PVE::AccessControl::lock_user_config( | |
211 | sub { | |
212 | ||
213 | my $usercfg = cfs_read_file("user.cfg"); | |
214 | ||
215 | my $group = $param->{groupid}; | |
216 | ||
217 | die "group '$group' does not exist\n" | |
218 | if !$usercfg->{groups}->{$group}; | |
219 | ||
220 | delete ($usercfg->{groups}->{$group}); | |
221 | ||
222 | PVE::AccessControl::delete_group_acl($group, $usercfg); | |
223 | ||
224 | cfs_write_file("user.cfg", $usercfg); | |
225 | }, "delete group failed"); | |
226 | ||
227 | return undef; | |
228 | }}); | |
229 | ||
230 | 1; |