use PVE::API2::Group;
use PVE::API2::Role;
use PVE::API2::ACL;
-use PVE::API2::Pool;
use base qw(PVE::RESTHandler);
path => 'domains',
});
-__PACKAGE__->register_method ({
- subclass => "PVE::API2::Pool",
- path => 'pools',
-});
-
__PACKAGE__->register_method ({
name => 'index',
path => '',
method => 'GET',
description => "Directory index.",
+ permissions => {
+ user => 'all',
+ },
parameters => {
additionalProperties => 0,
properties => {},
path => 'password',
method => 'PUT',
permissions => {
- description => "Each user is allowed to change his own password. A user can change the password of another user if he has modify permission on /access/groups/<group> on a group where user <userid> is member of.",
+ description => "Each user is allowed to change his own password. A user can change the password of another user if he has 'Realm.AllocateUser' (on the realm of user <userid>) and 'User.Modify' permission on /access/groups/<group> on a group where user <userid> is member of.",
check => [ 'or',
['userid-param', 'self'],
- ['userid-group', ['User.Modify']],
+ [ 'and',
+ [ 'userid-param', 'Realm.AllocateUser'],
+ [ 'userid-group', ['User.Modify']]
+ ]
],
},
protected => 1, # else we can't access shadow files
} else {
# only root may change root password
raise_perm_exc() if $userid eq 'root@pam';
+ # do not allow to change system user passwords
+ raise_perm_exc() if $realm eq 'pam';
}
}
projects / pve-access-control.git / blobdiff