method => 'GET',
description => "User index.",
permissions => {
- description => "The returned list is restricted to users where you have 'User.Modify' or 'User.Delete' permissions on '/access' or on a group the user belongs too. But it always includes the current (authenticated) user.",
+ description => "The returned list is restricted to users where you have 'User.Modify' or 'Sys.Audit' permissions on '/access/groups' or on a group the user belongs too. But it always includes the current (authenticated) user.",
user => 'all',
},
parameters => {
my $res = [];
- my $privs = [ 'User.Modify', 'User.Delete' ];
-
- my $canUserMod = $rpcenv->check_any($authuser, "/access", $privs, 1);
+ my $privs = [ 'User.Modify', 'Sys.Audit' ];
+ my $canUserMod = $rpcenv->check_any($authuser, "/access/groups", $privs, 1);
my $groups = $rpcenv->filter_groups($authuser, $privs, 1);
my $allowed_users = $rpcenv->group_member_join([keys %$groups]);
path => '',
method => 'POST',
permissions => {
- description => "You need 'User.Add' permissions to '/access/groups/<group>' for any group specified, or 'User.Add' on '/access' if you pass no groups.",
- check => ['userid-group', ['User.Add'], groups_param => 1],
+ description => "You need 'Realm.AllocateUser' on '/access/realm/<realm>' on the realm of user <userid>, and 'User.Modify' permissions to '/access/groups/<group>' for any group specified (or 'User.Modify' on '/access/groups' if you pass no groups.",
+ check => [ 'and',
+ [ 'userid-param', 'Realm.AllocateUser'],
+ [ 'userid-group', ['User.Modify'], groups_param => 1],
+ ],
},
description => "Create new user.",
parameters => {
method => 'GET',
description => "Get user configuration.",
permissions => {
- check => ['userid-group', ['User.Modify']],
+ check => ['userid-group', ['User.Modify', 'Sys.Audit']],
},
parameters => {
additionalProperties => 0,
method => 'DELETE',
description => "Delete user.",
permissions => {
- check => ['userid-group', ['User.Delete']],
+ check => [ 'and',
+ [ 'userid-param', 'Realm.AllocateUser'],
+ [ 'userid-group', ['User.Modify']],
+ ],
},
parameters => {
additionalProperties => 0,
my $usercfg = cfs_read_file("user.cfg");
- delete ($usercfg->{users}->{$userid});
+ my $domain_cfg = cfs_read_file('domains.cfg');
+ if (my $cfg = $domain_cfg->{ids}->{$realm}) {
+ my $plugin = PVE::Auth::Plugin->lookup($cfg->{type});
+ $plugin->delete_user($cfg, $realm, $ruid);
+ }
- PVE::AccessControl::delete_shadow_password($ruid) if $realm eq 'pve';
+ delete $usercfg->{users}->{$userid};
PVE::AccessControl::delete_user_group($userid, $usercfg);
PVE::AccessControl::delete_user_acl($userid, $usercfg);