add more privileges, improve docs
[pve-access-control.git] / PVE / API2 / Group.pm
CommitLineData
2c3a6c0a
DM
1package PVE::API2::Group;
2
3use strict;
4use warnings;
5use PVE::Cluster qw (cfs_read_file cfs_write_file);
6use PVE::AccessControl;
2c3a6c0a 7use PVE::SafeSyslog;
2c3a6c0a
DM
8use PVE::RESTHandler;
9
10use base qw(PVE::RESTHandler);
11
2c3a6c0a
DM
12__PACKAGE__->register_method ({
13 name => 'index',
14 path => '',
15 method => 'GET',
16 description => "Group index.",
96919234 17 permissions => {
82b63965 18 description => "The returned list is restricted to groups where you have 'User.Modify', 'Sys.Audit' or 'Group.Allocate' permissions on /access/groups/<group>.",
96919234
DM
19 user => 'all',
20 },
2c3a6c0a
DM
21 parameters => {
22 additionalProperties => 0,
23 properties => {},
24 },
25 returns => {
26 type => 'array',
27 items => {
28 type => "object",
29 properties => {
30 groupid => { type => 'string' },
31 },
32 },
33 links => [ { rel => 'child', href => "{groupid}" } ],
34 },
35 code => sub {
36 my ($param) = @_;
37
38 my $res = [];
39
96919234 40 my $rpcenv = PVE::RPCEnvironment::get();
2c3a6c0a 41 my $usercfg = cfs_read_file("user.cfg");
96919234
DM
42 my $authuser = $rpcenv->get_user();
43
82b63965
DM
44 my $privs = [ 'User.Modify', 'Sys.Audit', 'Group.Allocate'];
45
2c3a6c0a 46 foreach my $group (keys %{$usercfg->{groups}}) {
82b63965 47 next if !$rpcenv->check_any($authuser, "/access/groups/$group", $privs, 1);
8de1fb5a
DM
48 my $data = $usercfg->{groups}->{$group};
49 my $entry = { groupid => $group };
50 $entry->{comment} = $data->{comment} if defined($data->{comment});
2c3a6c0a
DM
51 push @$res, $entry;
52 }
53
54 return $res;
55 }});
56
57__PACKAGE__->register_method ({
58 name => 'create_group',
59 protected => 1,
60 path => '',
61 method => 'POST',
96919234 62 permissions => {
82b63965 63 check => ['perm', '/access/groups', ['Group.Allocate']],
96919234 64 },
2c3a6c0a
DM
65 description => "Create new group.",
66 parameters => {
67 additionalProperties => 0,
68 properties => {
69 groupid => { type => 'string', format => 'pve-groupid' },
70 comment => { type => 'string', optional => 1 },
71 },
72 },
73 returns => { type => 'null' },
74 code => sub {
75 my ($param) = @_;
76
77 PVE::AccessControl::lock_user_config(
78 sub {
79
80 my $usercfg = cfs_read_file("user.cfg");
81
82 my $group = $param->{groupid};
83
84 die "group '$group' already exists\n"
85 if $usercfg->{groups}->{$group};
86
87 $usercfg->{groups}->{$group} = { users => {} };
88
89 $usercfg->{groups}->{$group}->{comment} = $param->{comment} if $param->{comment};
90
91
92 cfs_write_file("user.cfg", $usercfg);
93 }, "create group failed");
94
95 return undef;
96 }});
97
98__PACKAGE__->register_method ({
99 name => 'update_group',
100 protected => 1,
101 path => '{groupid}',
102 method => 'PUT',
96919234 103 permissions => {
82b63965 104 check => ['perm', '/access/groups', ['Group.Allocate']],
96919234 105 },
2c3a6c0a
DM
106 description => "Update group data.",
107 parameters => {
108 additionalProperties => 0,
109 properties => {
2c3a6c0a
DM
110 groupid => { type => 'string', format => 'pve-groupid' },
111 comment => { type => 'string', optional => 1 },
112 },
113 },
114 returns => { type => 'null' },
115 code => sub {
116 my ($param) = @_;
117
118 PVE::AccessControl::lock_user_config(
119 sub {
120
121 my $usercfg = cfs_read_file("user.cfg");
122
123 my $group = $param->{groupid};
124
125 my $data = $usercfg->{groups}->{$group};
126
127 die "group '$group' does not exist\n"
128 if !$data;
129
39c85db8 130 $data->{comment} = $param->{comment} if defined($param->{comment});
2c3a6c0a
DM
131
132 cfs_write_file("user.cfg", $usercfg);
39c85db8 133 }, "update group failed");
2c3a6c0a
DM
134
135 return undef;
136 }});
137
2c3a6c0a
DM
138__PACKAGE__->register_method ({
139 name => 'read_group',
140 path => '{groupid}',
141 method => 'GET',
96919234 142 permissions => {
82b63965
DM
143 check => ['perm', '/access/groups', ['Sys.Audit', 'Group.Allocate'], any => 1],
144 },
2c3a6c0a
DM
145 description => "Get group configuration.",
146 parameters => {
147 additionalProperties => 0,
148 properties => {
149 groupid => { type => 'string', format => 'pve-groupid' },
150 },
151 },
8de1fb5a
DM
152 returns => {
153 type => "object",
154 additionalProperties => 0,
155 properties => {
156 comment => { type => 'string', optional => 1 },
157 members => {
158 type => 'array',
159 items => {
160 type => "string",
161 },
162 },
163 },
164 },
2c3a6c0a
DM
165 code => sub {
166 my ($param) = @_;
167
168 my $group = $param->{groupid};
169
170 my $usercfg = cfs_read_file("user.cfg");
171
172 my $data = $usercfg->{groups}->{$group};
173
174 die "group '$group' does not exist\n" if !$data;
175
8de1fb5a
DM
176 my $members = $data->{users} ? [ keys %{$data->{users}} ] : [];
177
178 my $res = { members => $members };
179
180 $res->{comment} = $data->{comment} if defined($data->{comment});
181
182 return $res;
2c3a6c0a
DM
183 }});
184
185
186__PACKAGE__->register_method ({
187 name => 'delete_group',
188 protected => 1,
189 path => '{groupid}',
190 method => 'DELETE',
96919234 191 permissions => {
82b63965 192 check => ['perm', '/access/groups', ['Group.Allocate']],
96919234 193 },
2c3a6c0a
DM
194 description => "Delete group.",
195 parameters => {
196 additionalProperties => 0,
197 properties => {
198 groupid => { type => 'string' , format => 'pve-groupid' },
199 }
200 },
201 returns => { type => 'null' },
202 code => sub {
203 my ($param) = @_;
204
205 PVE::AccessControl::lock_user_config(
206 sub {
207
208 my $usercfg = cfs_read_file("user.cfg");
209
210 my $group = $param->{groupid};
211
212 die "group '$group' does not exist\n"
213 if !$usercfg->{groups}->{$group};
214
215 delete ($usercfg->{groups}->{$group});
216
217 PVE::AccessControl::delete_group_acl($group, $usercfg);
218
219 cfs_write_file("user.cfg", $usercfg);
220 }, "delete group failed");
221
222 return undef;
223 }});
224
2251;