use serde_json::{json, Value};
-use proxmox::api::{api, RpcEnvironment, Permission};
+use proxmox::api::{api, RpcEnvironment, Permission, UserInformation};
use proxmox::api::router::{Router, SubdirMap};
use proxmox::{sortable, identity};
use proxmox::{http_err, list_subdirs_api_method};
use crate::tools::ticket::*;
use crate::auth_helpers::*;
use crate::api2::types::*;
+
use crate::config::cached_user_info::CachedUserInfo;
+use crate::config::acl::PRIV_PERMISSIONS_MODIFY;
pub mod user;
pub mod domain;
},
},
access: {
- description: "Anybody is allowed to change there own password. The Superuser may change any password.",
+ description: "Anybody is allowed to change there own password. In addition, users with 'Permissions:Modify' privilege may change any password.",
permission: &Permission::Anybody,
},
if userid == "root@pam" { allowed = true; }
+ if !allowed {
+ use crate::config::cached_user_info::CachedUserInfo;
+
+ let user_info = CachedUserInfo::new()?;
+ let privs = user_info.lookup_privs(¤t_user, &[]);
+ if (privs & PRIV_PERMISSIONS_MODIFY) != 0 { allowed = true; }
+ }
+
if !allowed {
bail!("you are not authorized to change the password.");
}
use crate::api2::types::*;
use crate::config::user;
-use crate::config::acl::{PRIV_SYS_AUDIT, PRIV_SYS_MODIFY};
+use crate::config::acl::{PRIV_SYS_AUDIT, PRIV_PERMISSIONS_MODIFY};
pub const PBS_PASSWORD_SCHEMA: Schema = StringSchema::new("User Password.")
.format(&PASSWORD_FORMAT)
},
},
access: {
- permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
+ permission: &Permission::Privilege(&[], PRIV_PERMISSIONS_MODIFY, false),
},
)]
/// Create new user.
},
},
access: {
- permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
+ permission: &Permission::Privilege(&[], PRIV_PERMISSIONS_MODIFY, false),
},
)]
/// Update user configuration.
},
},
access: {
- permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
+ permission: &Permission::Privilege(&[], PRIV_PERMISSIONS_MODIFY, false),
},
)]
/// Remove a user from the configuration file.
pub const PRIV_DATASTORE_ALLOCATE: u64 = 1 << 4;
pub const PRIV_DATASTORE_ALLOCATE_SPACE: u64 = 1 << 5;
+pub const PRIV_PERMISSIONS_MODIFY: u64 = 1 << 6;
+
pub const ROLE_ADMIN: u64 = std::u64::MAX;
pub const ROLE_NO_ACCESS: u64 = 0;