1 package PVE
::API2
::Group
;
5 use PVE
::Cluster qw
(cfs_read_file cfs_write_file
);
6 use PVE
::AccessControl
;
10 use Data
::Dumper
; # fixme: remove
14 use base
qw(PVE::RESTHandler);
16 my $extract_group_data = sub {
17 my ($data, $full) = @_;
21 $res->{comment
} = $data->{comment
} if defined($data->{comment
});
23 return $res if !$full;
25 $res->{users
} = $data->{users
} ?
[ keys %{$data->{users
}} ] : [];
30 # fixme: index should return more/all attributes?
31 __PACKAGE__-
>register_method ({
35 description
=> "Group index.",
37 description
=> "The returned list is restricted to groups where you have 'User.Add' or 'Sys.Audit' permissions on '/access', or 'User.Add' on /access/groups/<group>.",
41 additionalProperties
=> 0,
49 groupid
=> { type
=> 'string' },
52 links
=> [ { rel
=> 'child', href
=> "{groupid}" } ],
59 my $rpcenv = PVE
::RPCEnvironment
::get
();
60 my $usercfg = cfs_read_file
("user.cfg");
61 my $authuser = $rpcenv->get_user();
63 my $privs = [ 'User.Add', 'Sys.Audit' ];
64 my $allow = $rpcenv->check_any($authuser, "/access", $privs, 1);
65 syslog
("info", "TEST $allow");
66 my $allowed_groups = $rpcenv->filter_groups($authuser, $privs, 1);
68 foreach my $group (keys %{$usercfg->{groups
}}) {
69 next if !($allow || $allowed_groups->{$group});
70 my $entry = &$extract_group_data($usercfg->{groups
}->{$group});
71 $entry->{groupid
} = $group;
78 __PACKAGE__-
>register_method ({
79 name
=> 'create_group',
84 check
=> ['perm', '/access', ['Sys.Modify']],
86 description
=> "Create new group.",
88 additionalProperties
=> 0,
90 groupid
=> { type
=> 'string', format
=> 'pve-groupid' },
91 comment
=> { type
=> 'string', optional
=> 1 },
94 returns
=> { type
=> 'null' },
98 PVE
::AccessControl
::lock_user_config
(
101 my $usercfg = cfs_read_file
("user.cfg");
103 my $group = $param->{groupid
};
105 die "group '$group' already exists\n"
106 if $usercfg->{groups
}->{$group};
108 $usercfg->{groups
}->{$group} = { users
=> {} };
110 $usercfg->{groups
}->{$group}->{comment
} = $param->{comment
} if $param->{comment
};
113 cfs_write_file
("user.cfg", $usercfg);
114 }, "create group failed");
119 __PACKAGE__-
>register_method ({
120 name
=> 'update_group',
125 check
=> ['perm', '/access', ['Sys.Modify']],
127 description
=> "Update group data.",
129 additionalProperties
=> 0,
131 # fixme: set/delete members
132 groupid
=> { type
=> 'string', format
=> 'pve-groupid' },
133 comment
=> { type
=> 'string', optional
=> 1 },
136 returns
=> { type
=> 'null' },
140 PVE
::AccessControl
::lock_user_config
(
143 my $usercfg = cfs_read_file
("user.cfg");
145 my $group = $param->{groupid
};
147 my $data = $usercfg->{groups
}->{$group};
149 die "group '$group' does not exist\n"
152 $data->{comment
} = $param->{comment
} if $param->{comment
};
154 cfs_write_file
("user.cfg", $usercfg);
155 }, "create group failed");
160 # fixme: return format!
161 __PACKAGE__-
>register_method ({
162 name
=> 'read_group',
166 check
=> ['perm', '/access', ['Sys.Audit']],
168 description
=> "Get group configuration.",
170 additionalProperties
=> 0,
172 groupid
=> { type
=> 'string', format
=> 'pve-groupid' },
179 my $group = $param->{groupid
};
181 my $usercfg = cfs_read_file
("user.cfg");
183 my $data = $usercfg->{groups
}->{$group};
185 die "group '$group' does not exist\n" if !$data;
187 return &$extract_group_data($data, 1);
191 __PACKAGE__-
>register_method ({
192 name
=> 'delete_group',
197 check
=> ['perm', '/access', ['Sys.Modify']],
199 description
=> "Delete group.",
201 additionalProperties
=> 0,
203 groupid
=> { type
=> 'string' , format
=> 'pve-groupid' },
206 returns
=> { type
=> 'null' },
210 PVE
::AccessControl
::lock_user_config
(
213 my $usercfg = cfs_read_file
("user.cfg");
215 my $group = $param->{groupid
};
217 die "group '$group' does not exist\n"
218 if !$usercfg->{groups
}->{$group};
220 delete ($usercfg->{groups
}->{$group});
222 PVE
::AccessControl
::delete_group_acl
($group, $usercfg);
224 cfs_write_file
("user.cfg", $usercfg);
225 }, "delete group failed");
projects / pve-access-control.git / blob