+
+my $verify_auth = sub {
+ my ($rpcenv, $username, $pw_or_ticket, $path, $privs) = @_;
+
+ my $normpath = PVE::AccessControl::normalize_path($path);
+
+ my $ticketuser;
+ if (($ticketuser = PVE::AccessControl::verify_ticket($pw_or_ticket, 1)) &&
+ ($ticketuser eq $username)) {
+ # valid ticket
+ } elsif (PVE::AccessControl::verify_vnc_ticket($pw_or_ticket, $username, $normpath, 1)) {
+ # valid vnc ticket
+ } else {
+ $username = PVE::AccessControl::authenticate_user($username, $pw_or_ticket);
+ }
+
+ my $privlist = [ PVE::Tools::split_list($privs) ];
+ if (!($normpath && scalar(@$privlist) && $rpcenv->check($username, $normpath, $privlist))) {
+ die "no permission ($path, $privs)\n";
+ }
+
+ return { username => $username };
+};
+
+my $create_ticket = sub {
+ my ($rpcenv, $username, $pw_or_ticket) = @_;
+
+ my $ticketuser;
+ if (($ticketuser = PVE::AccessControl::verify_ticket($pw_or_ticket, 1)) &&
+ ($ticketuser eq 'root@pam' || $ticketuser eq $username)) {
+ # valid ticket. Note: root@pam can create tickets for other users
+ } else {
+ $username = PVE::AccessControl::authenticate_user($username, $pw_or_ticket);
+ }
+
+ my $ticket = PVE::AccessControl::assemble_ticket($username);
+ my $csrftoken = PVE::AccessControl::assemble_csrf_prevention_token($username);
+
+ return {
+ ticket => $ticket,
+ username => $username,
+ CSRFPreventionToken => $csrftoken,
+ };
+};
+
+my $compute_api_permission = sub {
+ my ($rpcenv, $authuser) = @_;
+
+ my $usercfg = $rpcenv->{user_cfg};
+
+ my $nodelist = PVE::Cluster::get_nodelist();
+ my $vmlist = PVE::Cluster::get_vmlist() || {};
+ my $idlist = $vmlist->{ids} || {};
+
+ my $cfg = PVE::Storage::config();
+ my @sids = PVE::Storage::storage_ids ($cfg);
+
+ my $res = {
+ vms => {},
+ storage => {},
+ access => {},
+ nodes => {},
+ dc => {},
+ };
+
+ my $extract_vm_caps = sub {
+ my ($path) = @_;
+
+ my $perm = $rpcenv->permissions($authuser, $path);
+ foreach my $priv (keys %$perm) {
+ next if !($priv eq 'Permissions.Modify' || $priv =~ m/^VM\./);
+ $res->{vms}->{$priv} = 1;
+ }
+ };
+
+ foreach my $pool (keys %{$usercfg->{pools}}) {
+ &$extract_vm_caps("/pool/$pool");
+ }
+
+ foreach my $vmid (keys %$idlist, '__phantom__') {
+ &$extract_vm_caps("/vms/$vmid");
+ }
+
+ foreach my $storeid (@sids, '__phantom__') {
+ my $perm = $rpcenv->permissions($authuser, "/storage/$storeid");
+ foreach my $priv (keys %$perm) {
+ next if !($priv eq 'Permissions.Modify' || $priv =~ m/^Datastore\./);
+ $res->{storage}->{$priv} = 1;
+ }
+ }
+
+ foreach my $path (('/access/groups')) {
+ my $perm = $rpcenv->permissions($authuser, $path);
+ foreach my $priv (keys %$perm) {
+ next if $priv !~ m/^(User|Group)\./;
+ $res->{access}->{$priv} = 1;
+ }
+ }
+
+ foreach my $group (keys %{$usercfg->{users}->{$authuser}->{groups}}, '__phantom__') {
+ my $perm = $rpcenv->permissions($authuser, "/access/groups/$group");
+ if ($perm->{'User.Modify'}) {
+ $res->{access}->{'User.Modify'} = 1;
+ }
+ }
+
+ foreach my $node (@$nodelist) {
+ my $perm = $rpcenv->permissions($authuser, "/nodes/$node");
+ foreach my $priv (keys %$perm) {
+ next if $priv !~ m/^Sys\./;
+ $res->{nodes}->{$priv} = 1;
+ }
+ }
+
+ my $perm = $rpcenv->permissions($authuser, "/");
+ $res->{dc}->{'Sys.Audit'} = 1 if $perm->{'Sys.Audit'};
+
+ return $res;
+};
+