path => '',
method => 'GET',
description => "User index.",
- permissions => { user => 'all' },
+ permissions => {
+ description => "The returned list is restricted to users where you have 'User.Modify' or 'User.Allocate' permissions on '/access' or on a group the user belongs too. But it always includes the current (authenticated) user.",
+ user => 'all',
+ },
parameters => {
additionalProperties => 0,
properties => {
my $res = [];
- my $privs = [ 'Sys.UserMod', 'Sys.UserAdd' ];
+ my $privs = [ 'User.Modify', 'User.Allocate' ];
my $canUserMod = $rpcenv->check_any($authuser, "/access", $privs, 1);
my $groups = $rpcenv->filter_groups($authuser, $privs, 1);
protected => 1,
path => '',
method => 'POST',
+ permissions => {
+ description => "You need 'User.Allocate' permissions to '/access/groups/<group>' for any group specified, or 'User.Allocate' on '/access' if you pass no groups.",
+ check => ['userid-group', ['User.Allocate'], groups_param => 1],
+ },
description => "Create new user.",
parameters => {
additionalProperties => 0,
path => '{userid}',
method => 'GET',
description => "Get user configuration.",
+ permissions => {
+ check => ['userid-group', ['User.Modify']],
+ },
parameters => {
additionalProperties => 0,
properties => {
protected => 1,
path => '{userid}',
method => 'PUT',
+ permissions => {
+ check => ['userid-group', ['User.Modify'], groups_param => 1 ],
+ },
description => "Update user configuration.",
parameters => {
additionalProperties => 0,
path => '{userid}',
method => 'DELETE',
description => "Delete user.",
- permissions => { user => 'all' },
+ permissions => {
+ check => ['userid-group', ['User.Allocate']],
+ },
parameters => {
additionalProperties => 0,
properties => {
my $usercfg = cfs_read_file("user.cfg");
- PVE::AccessControl::check_user_exist($usercfg, $userid);
-
- my $privs = [ 'Sys.UserAdd' ]; # there is no Sys.UserDel
- if (!$rpcenv->check($authuser, "/access", $privs, 1)) {
- my $groups = $rpcenv->filter_groups($authuser, sub { return "/access/groups/" . shift; }, $privs, 1);
- my $allowed_users = $rpcenv->group_member_join([keys %$groups]);
- raise_perm_exc() if !$allowed_users->{$userid};
- }
-
delete ($usercfg->{users}->{$userid});
PVE::AccessControl::delete_shadow_password($ruid) if $realm eq 'pve';