use PVE::AccessControl;
use PVE::SafeSyslog;
use PVE::RESTHandler;
+use PVE::JSONSchema qw(get_standard_option register_standard_option);
use base qw(PVE::RESTHandler);
+register_standard_option('group-id', {
+ type => 'string',
+ format => 'pve-groupid',
+ completion => \&PVE::AccessControl::complete_group,
+});
+
+register_standard_option('group-comment', { type => 'string', optional => 1 });
+
__PACKAGE__->register_method ({
name => 'index',
path => '',
method => 'GET',
description => "Group index.",
permissions => {
- description => "The returned list is restricted to groups where you have 'User.Allocate' or 'Sys.Audit' permissions on '/access', or 'User.Allocate' on /access/groups/<group>.",
+ description => "The returned list is restricted to groups where you have 'User.Modify', 'Sys.Audit' or 'Group.Allocate' permissions on /access/groups/<group>.",
user => 'all',
},
parameters => {
items => {
type => "object",
properties => {
- groupid => { type => 'string' },
+ groupid => get_standard_option('group-id'),
+ comment => get_standard_option('group-comment'),
},
},
links => [ { rel => 'child', href => "{groupid}" } ],
my $usercfg = cfs_read_file("user.cfg");
my $authuser = $rpcenv->get_user();
- my $privs = [ 'User.Allocate', 'Sys.Audit' ];
- my $allow = $rpcenv->check_any($authuser, "/access", $privs, 1);
- my $allowed_groups = $rpcenv->filter_groups($authuser, $privs, 1);
-
+ my $privs = [ 'User.Modify', 'Sys.Audit', 'Group.Allocate'];
+
foreach my $group (keys %{$usercfg->{groups}}) {
- next if !($allow || $allowed_groups->{$group});
+ next if !$rpcenv->check_any($authuser, "/access/groups/$group", $privs, 1);
my $data = $usercfg->{groups}->{$group};
my $entry = { groupid => $group };
$entry->{comment} = $data->{comment} if defined($data->{comment});
path => '',
method => 'POST',
permissions => {
- check => ['perm', '/access', ['Sys.Modify']],
+ check => ['perm', '/access/groups', ['Group.Allocate']],
},
description => "Create new group.",
parameters => {
additionalProperties => 0,
properties => {
- groupid => { type => 'string', format => 'pve-groupid' },
- comment => { type => 'string', optional => 1 },
+ groupid => get_standard_option('group-id'),
+ comment => get_standard_option('group-comment'),
},
},
returns => { type => 'null' },
path => '{groupid}',
method => 'PUT',
permissions => {
- check => ['perm', '/access', ['Sys.Modify']],
+ check => ['perm', '/access/groups', ['Group.Allocate']],
},
description => "Update group data.",
parameters => {
additionalProperties => 0,
properties => {
- groupid => { type => 'string', format => 'pve-groupid' },
- comment => { type => 'string', optional => 1 },
+ groupid => get_standard_option('group-id'),
+ comment => get_standard_option('group-comment'),
},
},
returns => { type => 'null' },
path => '{groupid}',
method => 'GET',
permissions => {
- check => ['perm', '/access', ['Sys.Audit']],
- },
+ check => ['perm', '/access/groups', ['Sys.Audit', 'Group.Allocate'], any => 1],
+ },
description => "Get group configuration.",
parameters => {
additionalProperties => 0,
properties => {
- groupid => { type => 'string', format => 'pve-groupid' },
+ groupid => get_standard_option('group-id'),
},
},
returns => {
type => "object",
additionalProperties => 0,
properties => {
- comment => { type => 'string', optional => 1 },
+ comment => get_standard_option('group-comment'),
members => {
type => 'array',
- items => {
- type => "string",
- },
+ items => get_standard_option('userid-completed')
},
},
},
path => '{groupid}',
method => 'DELETE',
permissions => {
- check => ['perm', '/access', ['Sys.Modify']],
+ check => ['perm', '/access/groups', ['Group.Allocate']],
},
description => "Delete group.",
parameters => {
additionalProperties => 0,
properties => {
- groupid => { type => 'string' , format => 'pve-groupid' },
+ groupid => get_standard_option('group-id'),
}
},
returns => { type => 'null' },