use PVE::SafeSyslog;
-use Data::Dumper; # fixme: remove
-
use PVE::RESTHandler;
use base qw(PVE::RESTHandler);
my $res = {};
- foreach my $prop (qw(enable expire firstname lastname email comment)) {
+ foreach my $prop (qw(enable expire firstname lastname email comment keys)) {
$res->{$prop} = $data->{$prop} if defined($data->{$prop});
}
path => '',
method => 'GET',
description => "User index.",
- permissions => { user => 'all' },
+ permissions => {
+ description => "The returned list is restricted to users where you have 'User.Modify' or 'Sys.Audit' permissions on '/access/groups' or on a group the user belongs too. But it always includes the current (authenticated) user.",
+ user => 'all',
+ },
parameters => {
additionalProperties => 0,
properties => {
my $res = [];
- my $privs = [ 'Sys.UserMod', 'Sys.UserAdd' ];
-
- my $canUserMod = $rpcenv->check_any($authuser, "/access", $privs, 1);
+ my $privs = [ 'User.Modify', 'Sys.Audit' ];
+ my $canUserMod = $rpcenv->check_any($authuser, "/access/groups", $privs, 1);
my $groups = $rpcenv->filter_groups($authuser, $privs, 1);
my $allowed_users = $rpcenv->group_member_join([keys %$groups]);
protected => 1,
path => '',
method => 'POST',
+ permissions => {
+ description => "You need 'Realm.AllocateUser' on '/access/realm/<realm>' on the realm of user <userid>, and 'User.Modify' permissions to '/access/groups/<group>' for any group specified (or 'User.Modify' on '/access/groups' if you pass no groups.",
+ check => [ 'and',
+ [ 'userid-param', 'Realm.AllocateUser'],
+ [ 'userid-group', ['User.Modify'], groups_param => 1],
+ ],
+ },
description => "Create new user.",
parameters => {
additionalProperties => 0,
minLength => 5,
maxLength => 64
},
- groups => { type => 'string', optional => 1, format => 'pve-groupid-list'},
+ groups => {
+ type => 'string', format => 'pve-groupid-list',
+ optional => 1,
+ completion => \&PVE::AccessControl::complete_group,
+ },
firstname => { type => 'string', optional => 1 },
lastname => { type => 'string', optional => 1 },
email => { type => 'string', optional => 1, format => 'email-opt' },
comment => { type => 'string', optional => 1 },
+ keys => {
+ description => "Keys for two factor auth (yubico).",
+ type => 'string',
+ optional => 1,
+ },
expire => {
description => "Account expiration date (seconds since epoch). '0' means no expiration date.",
type => 'integer',
$usercfg->{users}->{$username}->{lastname} = $param->{lastname} if $param->{lastname};
$usercfg->{users}->{$username}->{email} = $param->{email} if $param->{email};
$usercfg->{users}->{$username}->{comment} = $param->{comment} if $param->{comment};
+ $usercfg->{users}->{$username}->{keys} = $param->{keys} if $param->{keys};
cfs_write_file("user.cfg", $usercfg);
}, "create user failed");
path => '{userid}',
method => 'GET',
description => "Get user configuration.",
+ permissions => {
+ check => ['userid-group', ['User.Modify', 'Sys.Audit']],
+ },
parameters => {
additionalProperties => 0,
properties => {
lastname => { type => 'string', optional => 1 },
email => { type => 'string', optional => 1 },
comment => { type => 'string', optional => 1 },
+ keys => { type => 'string', optional => 1 },
groups => { type => 'array' },
}
},
protected => 1,
path => '{userid}',
method => 'PUT',
+ permissions => {
+ check => ['userid-group', ['User.Modify'], groups_param => 1 ],
+ },
description => "Update user configuration.",
parameters => {
additionalProperties => 0,
properties => {
- userid => get_standard_option('userid'),
- groups => { type => 'string', optional => 1, format => 'pve-groupid-list' },
+ userid => get_standard_option('userid', {
+ completion => \&PVE::AccessControl::complete_username,
+ }),
+ groups => {
+ type => 'string', format => 'pve-groupid-list',
+ optional => 1,
+ completion => \&PVE::AccessControl::complete_group,
+ },
append => {
type => 'boolean',
optional => 1,
lastname => { type => 'string', optional => 1 },
email => { type => 'string', optional => 1, format => 'email-opt' },
comment => { type => 'string', optional => 1 },
+ keys => {
+ description => "Keys for two factor auth (yubico).",
+ type => 'string',
+ optional => 1,
+ },
expire => {
description => "Account expiration date (seconds since epoch). '0' means no expiration date.",
type => 'integer',
$usercfg->{users}->{$username}->{lastname} = $param->{lastname} if defined($param->{lastname});
$usercfg->{users}->{$username}->{email} = $param->{email} if defined($param->{email});
$usercfg->{users}->{$username}->{comment} = $param->{comment} if defined($param->{comment});
+ $usercfg->{users}->{$username}->{keys} = $param->{keys} if defined($param->{keys});
cfs_write_file("user.cfg", $usercfg);
}, "update user failed");
path => '{userid}',
method => 'DELETE',
description => "Delete user.",
- permissions => { user => 'all' },
+ permissions => {
+ check => [ 'and',
+ [ 'userid-param', 'Realm.AllocateUser'],
+ [ 'userid-group', ['User.Modify']],
+ ],
+ },
parameters => {
additionalProperties => 0,
properties => {
- userid => get_standard_option('userid'),
+ userid => get_standard_option('userid', {
+ completion => \&PVE::AccessControl::complete_username,
+ }),
}
},
returns => { type => 'null' },
my $usercfg = cfs_read_file("user.cfg");
- PVE::AccessControl::check_user_exist($usercfg, $userid);
-
- my $privs = [ 'Sys.UserAdd' ]; # there is no Sys.UserDel
- if (!$rpcenv->check($authuser, "/access", $privs, 1)) {
- my $groups = $rpcenv->filter_groups($authuser, sub { return "/access/groups/" . shift; }, $privs, 1);
- my $allowed_users = $rpcenv->group_member_join([keys %$groups]);
- raise_perm_exc() if !$allowed_users->{$userid};
+ my $domain_cfg = cfs_read_file('domains.cfg');
+ if (my $cfg = $domain_cfg->{ids}->{$realm}) {
+ my $plugin = PVE::Auth::Plugin->lookup($cfg->{type});
+ $plugin->delete_user($cfg, $realm, $ruid);
}
- delete ($usercfg->{users}->{$userid});
-
- PVE::AccessControl::delete_shadow_password($ruid) if $realm eq 'pve';
+ delete $usercfg->{users}->{$userid};
PVE::AccessControl::delete_user_group($userid, $usercfg);
PVE::AccessControl::delete_user_acl($userid, $usercfg);
projects / pve-access-control.git / blobdiff