1 package PVE
::API2
::User
;
5 use PVE
::Exception
qw(raise raise_perm_exc);
6 use PVE
::Cluster qw
(cfs_read_file cfs_write_file
);
7 use PVE
::Tools
qw(split_list);
8 use PVE
::AccessControl
;
9 use PVE
::JSONSchema
qw(get_standard_option);
13 use Data
::Dumper
; # fixme: remove
17 use base
qw(PVE::RESTHandler);
19 my $extract_user_data = sub {
20 my ($data, $full) = @_;
24 foreach my $prop (qw(enable expire firstname lastname email comment)) {
25 $res->{$prop} = $data->{$prop} if defined($data->{$prop});
28 return $res if !$full;
30 $res->{groups
} = $data->{groups
} ?
[ keys %{$data->{groups
}} ] : [];
35 __PACKAGE__-
>register_method ({
39 description
=> "User index.",
41 description
=> "The returned list is restricted to users where you have 'User.Modify' or 'User.Allocate' permissions on '/access' or on a group the user belongs too. But it always includes the current (authenticated) user.",
45 additionalProperties
=> 0,
49 description
=> "Optional filter for enable property.",
59 userid
=> { type
=> 'string' },
62 links
=> [ { rel
=> 'child', href
=> "{userid}" } ],
67 my $rpcenv = PVE
::RPCEnvironment
::get
();
68 my $usercfg = $rpcenv->{user_cfg
};
69 my $authuser = $rpcenv->get_user();
73 my $privs = [ 'User.Modify', 'User.Allocate' ];
75 my $canUserMod = $rpcenv->check_any($authuser, "/access", $privs, 1);
76 my $groups = $rpcenv->filter_groups($authuser, $privs, 1);
77 my $allowed_users = $rpcenv->group_member_join([keys %$groups]);
79 foreach my $user (keys %{$usercfg->{users
}}) {
81 if (!($canUserMod || $user eq $authuser)) {
82 next if !$allowed_users->{$user};
85 my $entry = &$extract_user_data($usercfg->{users
}->{$user});
87 if (defined($param->{enabled
})) {
88 next if $entry->{enable
} && !$param->{enabled
};
89 next if !$entry->{enable
} && $param->{enabled
};
92 $entry->{userid
} = $user;
99 __PACKAGE__-
>register_method ({
100 name
=> 'create_user',
105 description
=> "You need 'User.Allocate' permissions to '/access/groups/<group>' for any group specified, or 'User.Allocate' on '/access' if you pass no groups.",
106 check
=> ['userid-group', ['User.Allocate'], groups_param
=> 1],
108 description
=> "Create new user.",
110 additionalProperties
=> 0,
112 userid
=> get_standard_option
('userid'),
114 description
=> "Initial password.",
120 groups
=> { type
=> 'string', optional
=> 1, format
=> 'pve-groupid-list'},
121 firstname
=> { type
=> 'string', optional
=> 1 },
122 lastname
=> { type
=> 'string', optional
=> 1 },
123 email
=> { type
=> 'string', optional
=> 1, format
=> 'email-opt' },
124 comment
=> { type
=> 'string', optional
=> 1 },
126 description
=> "Account expiration date (seconds since epoch). '0' means no expiration date.",
132 description
=> "Enable the account (default). You can set this to '0' to disable the accout",
139 returns
=> { type
=> 'null' },
143 PVE
::AccessControl
::lock_user_config
(
146 my ($username, $ruid, $realm) = PVE
::AccessControl
::verify_username
($param->{userid
});
148 my $usercfg = cfs_read_file
("user.cfg");
150 die "user '$username' already exists\n"
151 if $usercfg->{users
}->{$username};
153 PVE
::AccessControl
::domain_set_password
($realm, $ruid, $param->{password
})
154 if defined($param->{password
});
156 my $enable = defined($param->{enable
}) ?
$param->{enable
} : 1;
157 $usercfg->{users
}->{$username} = { enable
=> $enable };
158 $usercfg->{users
}->{$username}->{expire
} = $param->{expire
} if $param->{expire
};
160 if ($param->{groups
}) {
161 foreach my $group (split_list
($param->{groups
})) {
162 if ($usercfg->{groups
}->{$group}) {
163 PVE
::AccessControl
::add_user_group
($username, $usercfg, $group);
165 die "no such group '$group'\n";
170 $usercfg->{users
}->{$username}->{firstname
} = $param->{firstname
} if $param->{firstname
};
171 $usercfg->{users
}->{$username}->{lastname
} = $param->{lastname
} if $param->{lastname
};
172 $usercfg->{users
}->{$username}->{email
} = $param->{email
} if $param->{email
};
173 $usercfg->{users
}->{$username}->{comment
} = $param->{comment
} if $param->{comment
};
175 cfs_write_file
("user.cfg", $usercfg);
176 }, "create user failed");
181 __PACKAGE__-
>register_method ({
185 description
=> "Get user configuration.",
187 check
=> ['userid-group', ['User.Modify']],
190 additionalProperties
=> 0,
192 userid
=> get_standard_option
('userid'),
196 additionalProperties
=> 0,
198 enable
=> { type
=> 'boolean' },
199 expire
=> { type
=> 'integer', optional
=> 1 },
200 firstname
=> { type
=> 'string', optional
=> 1 },
201 lastname
=> { type
=> 'string', optional
=> 1 },
202 email
=> { type
=> 'string', optional
=> 1 },
203 comment
=> { type
=> 'string', optional
=> 1 },
204 groups
=> { type
=> 'array' },
210 my ($username, undef, $domain) =
211 PVE
::AccessControl
::verify_username
($param->{userid
});
213 my $usercfg = cfs_read_file
("user.cfg");
215 my $data = PVE
::AccessControl
::check_user_exist
($usercfg, $username);
217 return &$extract_user_data($data, 1);
220 __PACKAGE__-
>register_method ({
221 name
=> 'update_user',
226 check
=> ['userid-group', ['User.Modify'], groups_param
=> 1 ],
228 description
=> "Update user configuration.",
230 additionalProperties
=> 0,
232 userid
=> get_standard_option
('userid'),
233 groups
=> { type
=> 'string', optional
=> 1, format
=> 'pve-groupid-list' },
237 requires
=> 'groups',
240 description
=> "Enable/disable the account.",
244 firstname
=> { type
=> 'string', optional
=> 1 },
245 lastname
=> { type
=> 'string', optional
=> 1 },
246 email
=> { type
=> 'string', optional
=> 1, format
=> 'email-opt' },
247 comment
=> { type
=> 'string', optional
=> 1 },
249 description
=> "Account expiration date (seconds since epoch). '0' means no expiration date.",
256 returns
=> { type
=> 'null' },
260 my ($username, $ruid, $realm) =
261 PVE
::AccessControl
::verify_username
($param->{userid
});
263 PVE
::AccessControl
::lock_user_config
(
266 my $usercfg = cfs_read_file
("user.cfg");
268 PVE
::AccessControl
::check_user_exist
($usercfg, $username);
270 $usercfg->{users
}->{$username}->{enable
} = $param->{enable
} if defined($param->{enable
});
272 $usercfg->{users
}->{$username}->{expire
} = $param->{expire
} if defined($param->{expire
});
274 PVE
::AccessControl
::delete_user_group
($username, $usercfg)
275 if (!$param->{append
} && defined($param->{groups
}));
277 if ($param->{groups
}) {
278 foreach my $group (split_list
($param->{groups
})) {
279 if ($usercfg->{groups
}->{$group}) {
280 PVE
::AccessControl
::add_user_group
($username, $usercfg, $group);
282 die "no such group '$group'\n";
287 $usercfg->{users
}->{$username}->{firstname
} = $param->{firstname
} if defined($param->{firstname
});
288 $usercfg->{users
}->{$username}->{lastname
} = $param->{lastname
} if defined($param->{lastname
});
289 $usercfg->{users
}->{$username}->{email
} = $param->{email
} if defined($param->{email
});
290 $usercfg->{users
}->{$username}->{comment
} = $param->{comment
} if defined($param->{comment
});
292 cfs_write_file
("user.cfg", $usercfg);
293 }, "update user failed");
298 __PACKAGE__-
>register_method ({
299 name
=> 'delete_user',
303 description
=> "Delete user.",
305 check
=> ['userid-group', ['User.Allocate']],
308 additionalProperties
=> 0,
310 userid
=> get_standard_option
('userid'),
313 returns
=> { type
=> 'null' },
317 my $rpcenv = PVE
::RPCEnvironment
::get
();
318 my $authuser = $rpcenv->get_user();
320 my ($userid, $ruid, $realm) =
321 PVE
::AccessControl
::verify_username
($param->{userid
});
323 PVE
::AccessControl
::lock_user_config
(
326 my $usercfg = cfs_read_file
("user.cfg");
328 delete ($usercfg->{users
}->{$userid});
330 PVE
::AccessControl
::delete_shadow_password
($ruid) if $realm eq 'pve';
332 PVE
::AccessControl
::delete_user_group
($userid, $usercfg);
333 PVE
::AccessControl
::delete_user_acl
($userid, $usercfg);
335 cfs_write_file
("user.cfg", $usercfg);
336 }, "delete user failed");