use warnings;
use PVE::Cluster qw (cfs_read_file cfs_write_file);
use PVE::AccessControl;
-
use PVE::SafeSyslog;
-
-use Data::Dumper; # fixme: remove
-
use PVE::RESTHandler;
+use PVE::JSONSchema qw(get_standard_option register_standard_option);
use base qw(PVE::RESTHandler);
-my $extract_group_data = sub {
- my ($data, $full) = @_;
-
- my $res = {};
-
- $res->{comment} = $data->{comment} if defined($data->{comment});
-
- return $res if !$full;
-
- $res->{users} = $data->{users} ? [ keys %{$data->{users}} ] : [];
+register_standard_option('group-id', {
+ type => 'string',
+ format => 'pve-groupid',
+ completion => \&PVE::AccessControl::complete_group,
+});
- return $res;
-};
+register_standard_option('group-comment', { type => 'string', optional => 1 });
-# fixme: index should return more/all attributes?
__PACKAGE__->register_method ({
name => 'index',
path => '',
method => 'GET',
description => "Group index.",
+ permissions => {
+ description => "The returned list is restricted to groups where you have 'User.Modify', 'Sys.Audit' or 'Group.Allocate' permissions on /access/groups/<group>.",
+ user => 'all',
+ },
parameters => {
additionalProperties => 0,
properties => {},
items => {
type => "object",
properties => {
- groupid => { type => 'string' },
+ groupid => get_standard_option('group-id'),
+ comment => get_standard_option('group-comment'),
},
},
links => [ { rel => 'child', href => "{groupid}" } ],
my $res = [];
+ my $rpcenv = PVE::RPCEnvironment::get();
my $usercfg = cfs_read_file("user.cfg");
-
+ my $authuser = $rpcenv->get_user();
+
+ my $privs = [ 'User.Modify', 'Sys.Audit', 'Group.Allocate'];
+
foreach my $group (keys %{$usercfg->{groups}}) {
- my $entry = &$extract_group_data($usercfg->{groups}->{$group});
- $entry->{groupid} = $group;
+ next if !$rpcenv->check_any($authuser, "/access/groups/$group", $privs, 1);
+ my $data = $usercfg->{groups}->{$group};
+ my $entry = { groupid => $group };
+ $entry->{comment} = $data->{comment} if defined($data->{comment});
push @$res, $entry;
}
protected => 1,
path => '',
method => 'POST',
+ permissions => {
+ check => ['perm', '/access/groups', ['Group.Allocate']],
+ },
description => "Create new group.",
parameters => {
additionalProperties => 0,
properties => {
- groupid => { type => 'string', format => 'pve-groupid' },
- comment => { type => 'string', optional => 1 },
+ groupid => get_standard_option('group-id'),
+ comment => get_standard_option('group-comment'),
},
},
returns => { type => 'null' },
protected => 1,
path => '{groupid}',
method => 'PUT',
+ permissions => {
+ check => ['perm', '/access/groups', ['Group.Allocate']],
+ },
description => "Update group data.",
parameters => {
additionalProperties => 0,
properties => {
- # fixme: set/delete members
- groupid => { type => 'string', format => 'pve-groupid' },
- comment => { type => 'string', optional => 1 },
+ groupid => get_standard_option('group-id'),
+ comment => get_standard_option('group-comment'),
},
},
returns => { type => 'null' },
die "group '$group' does not exist\n"
if !$data;
- $data->{comment} = $param->{comment} if $param->{comment};
+ $data->{comment} = $param->{comment} if defined($param->{comment});
cfs_write_file("user.cfg", $usercfg);
- }, "create group failed");
+ }, "update group failed");
return undef;
}});
-# fixme: return format!
__PACKAGE__->register_method ({
name => 'read_group',
path => '{groupid}',
method => 'GET',
+ permissions => {
+ check => ['perm', '/access/groups', ['Sys.Audit', 'Group.Allocate'], any => 1],
+ },
description => "Get group configuration.",
parameters => {
additionalProperties => 0,
properties => {
- groupid => { type => 'string', format => 'pve-groupid' },
+ groupid => get_standard_option('group-id'),
+ },
+ },
+ returns => {
+ type => "object",
+ additionalProperties => 0,
+ properties => {
+ comment => get_standard_option('group-comment'),
+ members => {
+ type => 'array',
+ items => get_standard_option('userid-completed')
+ },
},
},
- returns => {},
code => sub {
my ($param) = @_;
die "group '$group' does not exist\n" if !$data;
- return &$extract_group_data($data, 1);
+ my $members = $data->{users} ? [ keys %{$data->{users}} ] : [];
+
+ my $res = { members => $members };
+
+ $res->{comment} = $data->{comment} if defined($data->{comment});
+
+ return $res;
}});
protected => 1,
path => '{groupid}',
method => 'DELETE',
+ permissions => {
+ check => ['perm', '/access/groups', ['Group.Allocate']],
+ },
description => "Delete group.",
parameters => {
additionalProperties => 0,
properties => {
- groupid => { type => 'string' , format => 'pve-groupid' },
+ groupid => get_standard_option('group-id'),
}
},
returns => { type => 'null' },