X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=PVE%2FAPI2%2FUser.pm;h=aa88dfd72f4898524e8e407aada6230ccd61311f;hb=9691923469709bd3f5660748e17a6036ad80faaa;hp=5cfb155fca8dafaf577900975ebb97969125d660;hpb=b9180ed235f8ae6d7517fb232a1ed1986082e88f;p=pve-access-control.git diff --git a/PVE/API2/User.pm b/PVE/API2/User.pm index 5cfb155..aa88dfd 100644 --- a/PVE/API2/User.pm +++ b/PVE/API2/User.pm @@ -37,7 +37,10 @@ __PACKAGE__->register_method ({ path => '', method => 'GET', description => "User index.", - permissions => { user => 'all' }, + permissions => { + description => "The returned list is restricted to users where you have 'User.Modify' or 'User.Delete' permissions on '/access' or on a group the user belongs too. But it always includes the current (authenticated) user.", + user => 'all', + }, parameters => { additionalProperties => 0, properties => { @@ -67,7 +70,7 @@ __PACKAGE__->register_method ({ my $res = []; - my $privs = [ 'Sys.UserMod', 'Sys.UserAdd' ]; + my $privs = [ 'User.Modify', 'User.Delete' ]; my $canUserMod = $rpcenv->check_any($authuser, "/access", $privs, 1); my $groups = $rpcenv->filter_groups($authuser, $privs, 1); @@ -98,6 +101,10 @@ __PACKAGE__->register_method ({ protected => 1, path => '', method => 'POST', + permissions => { + description => "You need 'User.Add' permissions to '/access/groups/' for any group specified, or 'User.Add' on '/access' if you pass no groups.", + check => ['userid-group', ['User.Add'], groups_param => 1], + }, description => "Create new user.", parameters => { additionalProperties => 0, @@ -176,6 +183,9 @@ __PACKAGE__->register_method ({ path => '{userid}', method => 'GET', description => "Get user configuration.", + permissions => { + check => ['userid-group', ['User.Modify']], + }, parameters => { additionalProperties => 0, properties => { @@ -212,6 +222,9 @@ __PACKAGE__->register_method ({ protected => 1, path => '{userid}', method => 'PUT', + permissions => { + check => ['userid-group', ['User.Modify'], groups_param => 1 ], + }, description => "Update user configuration.", parameters => { additionalProperties => 0, @@ -288,7 +301,9 @@ __PACKAGE__->register_method ({ path => '{userid}', method => 'DELETE', description => "Delete user.", - permissions => { user => 'all' }, + permissions => { + check => ['userid-group', ['User.Delete']], + }, parameters => { additionalProperties => 0, properties => { @@ -310,15 +325,6 @@ __PACKAGE__->register_method ({ my $usercfg = cfs_read_file("user.cfg"); - PVE::AccessControl::check_user_exist($usercfg, $userid); - - my $privs = [ 'Sys.UserAdd' ]; # there is no Sys.UserDel - if (!$rpcenv->check($authuser, "/access", $privs, 1)) { - my $groups = $rpcenv->filter_groups($authuser, sub { return "/access/groups/" . shift; }, $privs, 1); - my $allowed_users = $rpcenv->group_member_join([keys %$groups]); - raise_perm_exc() if !$allowed_users->{$userid}; - } - delete ($usercfg->{users}->{$userid}); PVE::AccessControl::delete_shadow_password($ruid) if $realm eq 'pve';