cleanup permission checks

[pve-access-control.git] / PVE / API2 / AccessControl.pm

diff --git a/PVE/API2/AccessControl.pm b/PVE/API2/AccessControl.pm
index 913bdd81a8fea82fd6ed71735ba696be80734b08..58d93dd4fe9997462db7078b3aa5b7243e8df1d7 100644 (file)
--- a/PVE/API2/AccessControl.pm
+++ b/PVE/API2/AccessControl.pm
@@ -54,6 +54,9 @@ __PACKAGE__->register_method ({
     path => '', 
     method => 'GET',
     description => "Directory index.",
+    permissions => { 
+       user => 'all',
+    },
     parameters => {
        additionalProperties => 0,
        properties => {},
@@ -220,10 +223,13 @@ __PACKAGE__->register_method ({
     path => 'password', 
     method => 'PUT',
     permissions => { 
-       description => "Each user is allowed to change his own password. A user can change the password of another user if he has modify permission on /access/groups/<group> on a group where user <userid> is member of.",
+       description => "Each user is allowed to change his own password. A user can change the password of another user if he has 'Realm.AllocateUser' (on the realm of user <userid>) and 'User.Modify' permission on /access/groups/<group> on a group where user <userid> is member of.",
        check => [ 'or', 
                   ['userid-param', 'self'],
-                  ['userid-group', ['User.Modify']],
+                  [ 'and',
+                    [ 'userid-param', 'Realm.AllocateUser'],
+                    [ 'userid-group', ['User.Modify']]
+                  ]
            ],
     },
     protected => 1, # else we can't access shadow files