use warnings;
use PVE::Cluster qw (cfs_read_file cfs_write_file);
use PVE::AccessControl;
-
use PVE::SafeSyslog;
-
-use Data::Dumper; # fixme: remove
-
use PVE::RESTHandler;
use base qw(PVE::RESTHandler);
-my $extract_group_data = sub {
- my ($data, $full) = @_;
-
- my $res = {};
-
- $res->{comment} = $data->{comment} if defined($data->{comment});
-
- return $res if !$full;
-
- $res->{users} = $data->{users} ? [ keys %{$data->{users}} ] : [];
-
- return $res;
-};
-
-# fixme: index should return more/all attributes?
__PACKAGE__->register_method ({
name => 'index',
path => '',
method => 'GET',
description => "Group index.",
+ permissions => {
+ description => "The returned list is restricted to groups where you have 'User.Modify', 'Sys.Audit' or 'Group.Allocate' permissions on /access/groups/<group>.",
+ user => 'all',
+ },
parameters => {
additionalProperties => 0,
properties => {},
my $res = [];
+ my $rpcenv = PVE::RPCEnvironment::get();
my $usercfg = cfs_read_file("user.cfg");
-
+ my $authuser = $rpcenv->get_user();
+
+ my $privs = [ 'User.Modify', 'Sys.Audit', 'Group.Allocate'];
+
foreach my $group (keys %{$usercfg->{groups}}) {
- my $entry = &$extract_group_data($usercfg->{groups}->{$group});
- $entry->{groupid} = $group;
+ next if !$rpcenv->check_any($authuser, "/access/groups/$group", $privs, 1);
+ my $data = $usercfg->{groups}->{$group};
+ my $entry = { groupid => $group };
+ $entry->{comment} = $data->{comment} if defined($data->{comment});
push @$res, $entry;
}
protected => 1,
path => '',
method => 'POST',
+ permissions => {
+ check => ['perm', '/access/groups', ['Group.Allocate']],
+ },
description => "Create new group.",
parameters => {
additionalProperties => 0,
protected => 1,
path => '{groupid}',
method => 'PUT',
+ permissions => {
+ check => ['perm', '/access/groups', ['Group.Allocate']],
+ },
description => "Update group data.",
parameters => {
additionalProperties => 0,
properties => {
- # fixme: set/delete members
groupid => { type => 'string', format => 'pve-groupid' },
comment => { type => 'string', optional => 1 },
},
die "group '$group' does not exist\n"
if !$data;
- $data->{comment} = $param->{comment} if $param->{comment};
+ $data->{comment} = $param->{comment} if defined($param->{comment});
cfs_write_file("user.cfg", $usercfg);
- }, "create group failed");
+ }, "update group failed");
return undef;
}});
-# fixme: return format!
__PACKAGE__->register_method ({
name => 'read_group',
path => '{groupid}',
method => 'GET',
+ permissions => {
+ check => ['perm', '/access/groups', ['Sys.Audit', 'Group.Allocate'], any => 1],
+ },
description => "Get group configuration.",
parameters => {
additionalProperties => 0,
groupid => { type => 'string', format => 'pve-groupid' },
},
},
- returns => {},
+ returns => {
+ type => "object",
+ additionalProperties => 0,
+ properties => {
+ comment => { type => 'string', optional => 1 },
+ members => {
+ type => 'array',
+ items => {
+ type => "string",
+ },
+ },
+ },
+ },
code => sub {
my ($param) = @_;
die "group '$group' does not exist\n" if !$data;
- return &$extract_group_data($data, 1);
+ my $members = $data->{users} ? [ keys %{$data->{users}} ] : [];
+
+ my $res = { members => $members };
+
+ $res->{comment} = $data->{comment} if defined($data->{comment});
+
+ return $res;
}});
protected => 1,
path => '{groupid}',
method => 'DELETE',
+ permissions => {
+ check => ['perm', '/access/groups', ['Group.Allocate']],
+ },
description => "Delete group.",
parameters => {
additionalProperties => 0,