path => '',
method => 'GET',
description => "Get Access Control List (ACLs).",
+ permissions => {
+ description => "The returned list is restricted to objects where you have rights to modify permissions.",
+ user => 'all',
+ },
parameters => {
additionalProperties => 0,
properties => {},
code => sub {
my ($param) = @_;
+ my $rpcenv = PVE::RPCEnvironment::get();
+ my $authuser = $rpcenv->get_user();
my $res = [];
- my $usercfg = cfs_read_file("user.cfg");
-
+ my $usercfg = $rpcenv->{user_cfg};
if (!$usercfg || !$usercfg->{acl}) {
return {};
}
+ my $audit = $rpcenv->check($authuser, '/access', ['Sys.Audit'], 1);
+
my $acl = $usercfg->{acl};
foreach my $path (keys %$acl) {
foreach my $type (qw(users groups)) {
my $d = $acl->{$path}->{$type};
next if !$d;
+ next if !($audit || $rpcenv->check_perm_modify($authuser, $path, 1));
foreach my $id (keys %$d) {
foreach my $role (keys %{$d->{$id}}) {
my $propagate = $d->{$id}->{$role};
protected => 1,
path => '',
method => 'PUT',
+ permissions => {
+ check => ['perm-modify', '{path}'],
+ },
description => "Update Access Control List (add or remove permissions).",
parameters => {
additionalProperties => 0,