use warnings;
use PVE::Cluster qw (cfs_read_file cfs_write_file);
use PVE::AccessControl;
-
use PVE::SafeSyslog;
-
-use Data::Dumper; # fixme: remove
-
use PVE::RESTHandler;
use base qw(PVE::RESTHandler);
-my $extract_group_data = sub {
- my ($data, $full) = @_;
-
- my $res = {};
-
- $res->{comment} = $data->{comment} if defined($data->{comment});
-
- return $res if !$full;
-
- $res->{users} = $data->{users} ? [ keys %{$data->{users}} ] : [];
-
- return $res;
-};
-
-# fixme: index should return more/all attributes?
__PACKAGE__->register_method ({
name => 'index',
path => '',
method => 'GET',
description => "Group index.",
permissions => {
- description => "The returned list is restricted to groups where you have 'User.Add' or 'Sys.Audit' permissions on '/access', or 'User.Add' on /access/groups/<group>.",
+ description => "The returned list is restricted to groups where you have 'User.Modify', 'Sys.Audit' or 'Group.Allocate' permissions on /access/groups/<group>.",
user => 'all',
},
parameters => {
my $usercfg = cfs_read_file("user.cfg");
my $authuser = $rpcenv->get_user();
- my $privs = [ 'User.Add', 'Sys.Audit' ];
- my $allow = $rpcenv->check_any($authuser, "/access", $privs, 1);
- my $allowed_groups = $rpcenv->filter_groups($authuser, $privs, 1);
-
+ my $privs = [ 'User.Modify', 'Sys.Audit', 'Group.Allocate'];
+
foreach my $group (keys %{$usercfg->{groups}}) {
- next if !($allow || $allowed_groups->{$group});
- my $entry = &$extract_group_data($usercfg->{groups}->{$group});
- $entry->{groupid} = $group;
+ next if !$rpcenv->check_any($authuser, "/access/groups/$group", $privs, 1);
+ my $data = $usercfg->{groups}->{$group};
+ my $entry = { groupid => $group };
+ $entry->{comment} = $data->{comment} if defined($data->{comment});
push @$res, $entry;
}
path => '',
method => 'POST',
permissions => {
- check => ['perm', '/access', ['Sys.Modify']],
+ check => ['perm', '/access/groups', ['Group.Allocate']],
},
description => "Create new group.",
parameters => {
path => '{groupid}',
method => 'PUT',
permissions => {
- check => ['perm', '/access', ['Sys.Modify']],
+ check => ['perm', '/access/groups', ['Group.Allocate']],
},
description => "Update group data.",
parameters => {
additionalProperties => 0,
properties => {
- # fixme: set/delete members
groupid => { type => 'string', format => 'pve-groupid' },
comment => { type => 'string', optional => 1 },
},
die "group '$group' does not exist\n"
if !$data;
- $data->{comment} = $param->{comment} if $param->{comment};
+ $data->{comment} = $param->{comment} if defined($param->{comment});
cfs_write_file("user.cfg", $usercfg);
- }, "create group failed");
+ }, "update group failed");
return undef;
}});
-# fixme: return format!
__PACKAGE__->register_method ({
name => 'read_group',
path => '{groupid}',
method => 'GET',
permissions => {
- check => ['perm', '/access', ['Sys.Audit']],
- },
+ check => ['perm', '/access/groups', ['Sys.Audit', 'Group.Allocate'], any => 1],
+ },
description => "Get group configuration.",
parameters => {
additionalProperties => 0,
groupid => { type => 'string', format => 'pve-groupid' },
},
},
- returns => {},
+ returns => {
+ type => "object",
+ additionalProperties => 0,
+ properties => {
+ comment => { type => 'string', optional => 1 },
+ members => {
+ type => 'array',
+ items => {
+ type => "string",
+ },
+ },
+ },
+ },
code => sub {
my ($param) = @_;
die "group '$group' does not exist\n" if !$data;
- return &$extract_group_data($data, 1);
+ my $members = $data->{users} ? [ keys %{$data->{users}} ] : [];
+
+ my $res = { members => $members };
+
+ $res->{comment} = $data->{comment} if defined($data->{comment});
+
+ return $res;
}});
path => '{groupid}',
method => 'DELETE',
permissions => {
- check => ['perm', '/access', ['Sys.Modify']],
+ check => ['perm', '/access/groups', ['Group.Allocate']],
},
description => "Delete group.",
parameters => {
projects / pve-access-control.git / blobdiff