- my $usercfg = cfs_read_file("user.cfg");
-
+ my $privs = [ 'User.Modify', 'Sys.Audit' ];
+ my $canUserMod = $rpcenv->check_any($authuser, "/access/groups", $privs, 1);
+ my $groups = $rpcenv->filter_groups($authuser, $privs, 1);
+ my $allowed_users = $rpcenv->group_member_join([keys %$groups]);
+
+ permissions => {
+ description => "You need 'Realm.AllocateUser' on '/access/realm/<realm>' on the realm of user <userid>, and 'User.Modify' permissions to '/access/groups/<group>' for any group specified (or 'User.Modify' on '/access/groups' if you pass no groups.",
+ check => [ 'and',
+ [ 'userid-param', 'Realm.AllocateUser'],
+ [ 'userid-group', ['User.Modify'], groups_param => 1],
+ ],
+ },
description => "Create new user.",
parameters => {
additionalProperties => 0,
properties => {
userid => get_standard_option('userid'),
description => "Create new user.",
parameters => {
additionalProperties => 0,
properties => {
userid => get_standard_option('userid'),
- password => { type => 'string', optional => 1, minLength => 5, maxLength => 64 },
+ password => {
+ description => "Initial password.",
+ type => 'string',
+ optional => 1,
+ minLength => 5,
+ maxLength => 64
+ },
groups => { type => 'string', optional => 1, format => 'pve-groupid-list'},
firstname => { type => 'string', optional => 1 },
lastname => { type => 'string', optional => 1 },
email => { type => 'string', optional => 1, format => 'email-opt' },
comment => { type => 'string', optional => 1 },
groups => { type => 'string', optional => 1, format => 'pve-groupid-list'},
firstname => { type => 'string', optional => 1 },
lastname => { type => 'string', optional => 1 },
email => { type => 'string', optional => 1, format => 'email-opt' },
comment => { type => 'string', optional => 1 },
$usercfg->{users}->{$username}->{lastname} = $param->{lastname} if $param->{lastname};
$usercfg->{users}->{$username}->{email} = $param->{email} if $param->{email};
$usercfg->{users}->{$username}->{comment} = $param->{comment} if $param->{comment};
$usercfg->{users}->{$username}->{lastname} = $param->{lastname} if $param->{lastname};
$usercfg->{users}->{$username}->{email} = $param->{email} if $param->{email};
$usercfg->{users}->{$username}->{comment} = $param->{comment} if $param->{comment};
cfs_write_file("user.cfg", $usercfg);
}, "create user failed");
cfs_write_file("user.cfg", $usercfg);
}, "create user failed");
lastname => { type => 'string', optional => 1 },
email => { type => 'string', optional => 1 },
comment => { type => 'string', optional => 1 },
lastname => { type => 'string', optional => 1 },
email => { type => 'string', optional => 1 },
comment => { type => 'string', optional => 1 },
description => "Update user configuration.",
parameters => {
additionalProperties => 0,
properties => {
userid => get_standard_option('userid'),
description => "Update user configuration.",
parameters => {
additionalProperties => 0,
properties => {
userid => get_standard_option('userid'),
groups => { type => 'string', optional => 1, format => 'pve-groupid-list' },
append => {
type => 'boolean',
groups => { type => 'string', optional => 1, format => 'pve-groupid-list' },
append => {
type => 'boolean',
lastname => { type => 'string', optional => 1 },
email => { type => 'string', optional => 1, format => 'email-opt' },
comment => { type => 'string', optional => 1 },
lastname => { type => 'string', optional => 1 },
email => { type => 'string', optional => 1, format => 'email-opt' },
comment => { type => 'string', optional => 1 },
- die "user '$username' does not exist\n"
- if !$usercfg->{users}->{$username};
-
- PVE::AccessControl::domain_set_password($realm, $ruid, $param->{password})
- if defined($param->{password});
+ PVE::AccessControl::check_user_exist($usercfg, $username);
$usercfg->{users}->{$username}->{lastname} = $param->{lastname} if defined($param->{lastname});
$usercfg->{users}->{$username}->{email} = $param->{email} if defined($param->{email});
$usercfg->{users}->{$username}->{comment} = $param->{comment} if defined($param->{comment});
$usercfg->{users}->{$username}->{lastname} = $param->{lastname} if defined($param->{lastname});
$usercfg->{users}->{$username}->{email} = $param->{email} if defined($param->{email});
$usercfg->{users}->{$username}->{comment} = $param->{comment} if defined($param->{comment});
cfs_write_file("user.cfg", $usercfg);
}, "update user failed");
cfs_write_file("user.cfg", $usercfg);
}, "update user failed");
+
+ my $rpcenv = PVE::RPCEnvironment::get();
+ my $authuser = $rpcenv->get_user();
+
+ my ($userid, $ruid, $realm) =
+ PVE::AccessControl::verify_username($param->{userid});
- die "user '$username' does not exist\n"
- if !$usercfg->{users}->{$username};
+ my $domain_cfg = cfs_read_file('domains.cfg');
+ if (my $cfg = $domain_cfg->{ids}->{$realm}) {
+ my $plugin = PVE::Auth::Plugin->lookup($cfg->{type});
+ $plugin->delete_user($cfg, $realm, $ruid);
+ }
- PVE::AccessControl::delete_shadow_password($ruid) if $realm eq 'pve';
- PVE::AccessControl::delete_user_group($username, $usercfg);
- PVE::AccessControl::delete_user_acl($username, $usercfg);
+ PVE::AccessControl::delete_user_group($userid, $usercfg);
+ PVE::AccessControl::delete_user_acl($userid, $usercfg);
cfs_write_file("user.cfg", $usercfg);
}, "delete user failed");
cfs_write_file("user.cfg", $usercfg);
}, "delete user failed");