use PVE::Tools qw(split_list);
use PVE::AccessControl;
use PVE::Exception qw(raise_param_exc);
+use PVE::JSONSchema qw(get_standard_option register_standard_option);
use PVE::SafeSyslog;
use base qw(PVE::RESTHandler);
+register_standard_option('acl-propagate', {
+ description => "Allow to propagate (inherit) permissions.",
+ type => 'boolean',
+ title => 'Propagate',
+ optional => 1,
+ default => 1,
+});
+register_standard_option('acl-path', {
+ description => "Access control path",
+ title => 'Path',
+ type => 'string',
+});
+
__PACKAGE__->register_method ({
- name => 'read_acl',
- path => '',
+ name => 'read_acl',
+ path => '',
method => 'GET',
description => "Get Access Control List (ACLs).",
- permissions => {
+ permissions => {
description => "The returned list is restricted to objects where you have rights to modify permissions.",
user => 'all',
},
type => "object",
additionalProperties => 0,
properties => {
- path => { type => 'string' },
- type => { type => 'string', enum => ['user', 'group'] },
- ugid => { type => 'string' },
- roleid => { type => 'string' },
- propagate => { type => 'boolean' },
+ propagate => get_standard_option('acl-propagate'),
+ path => get_standard_option('acl-path'),
+ type => { type => 'string', title => 'Type', enum => ['user', 'group'] },
+ ugid => { type => 'string', title => 'ID' },
+ roleid => { type => 'string', title => 'Role' },
},
},
},
code => sub {
my ($param) = @_;
-
+
my $rpcenv = PVE::RPCEnvironment::get();
my $authuser = $rpcenv->get_user();
my $res = [];
}});
__PACKAGE__->register_method ({
- name => 'update_acl',
+ name => 'update_acl',
protected => 1,
- path => '',
+ path => '',
method => 'PUT',
- permissions => {
+ permissions => {
check => ['perm-modify', '{path}'],
},
description => "Update Access Control List (add or remove permissions).",
parameters => {
- additionalProperties => 0,
+ additionalProperties => 0,
properties => {
- path => {
- description => "Access control path",
- type => 'string',
- },
- users => {
+ propagate => get_standard_option('acl-propagate'),
+ path => get_standard_option('acl-path'),
+ users => {
description => "List of users.",
- type => 'string', format => 'pve-userid-list',
+ type => 'string', format => 'pve-userid-list',
optional => 1,
},
- groups => {
+ groups => {
description => "List of groups.",
type => 'string', format => 'pve-groupid-list',
- optional => 1,
+ optional => 1,
},
- roles => {
+ roles => {
description => "List of roles.",
type => 'string', format => 'pve-roleid-list',
},
- propagate => {
- description => "Allow to propagate (inherit) permissions.",
- type => 'boolean',
- optional => 1,
- default => 1,
- },
delete => {
description => "Remove permissions (instead of adding it).",
- type => 'boolean',
+ type => 'boolean',
optional => 1,
},
},
my ($param) = @_;
if (!($param->{users} || $param->{groups})) {
- raise_param_exc({
- users => "either 'users' or 'groups' is required.",
+ raise_param_exc({
+ users => "either 'users' or 'groups' is required.",
groups => "either 'users' or 'groups' is required." });
}
PVE::AccessControl::lock_user_config(
sub {
-
+
my $cfg = cfs_read_file("user.cfg");
my $propagate = 1;
-
+
if (defined($param->{propagate})) {
$propagate = $param->{propagate} ? 1 : 0;
}
foreach my $role (split_list($param->{roles})) {
- die "role '$role' does not exist\n"
+ die "role '$role' does not exist\n"
if !$cfg->{roles}->{$role};
foreach my $group (split_list($param->{groups})) {
delete($cfg->{acl}->{$path}->{users}->{$username}->{$role});
} else {
$cfg->{acl}->{$path}->{users}->{$username}->{$role} = $propagate;
- }
+ }
}
}
projects / pve-access-control.git / blobdiff