allow user to see his own entry

[pve-access-control.git] / PVE / API2 / User.pm

diff --git a/PVE/API2/User.pm b/PVE/API2/User.pm
index 6272cadbb1d366816ab86cec30e3ff6411cb1714..8b063641178197feecb376ecd42041e2675feca9 100644 (file)
--- a/PVE/API2/User.pm
+++ b/PVE/API2/User.pm
@@ -36,6 +36,7 @@ __PACKAGE__->register_method ({
     path => '', 
     method => 'GET',
     description => "User index.",
+    permissions => { user => 'all' },
     parameters => {
        additionalProperties => 0,
        properties => {
@@ -59,13 +60,17 @@ __PACKAGE__->register_method ({
     code => sub {
        my ($param) = @_;
     
+       my $rpcenv = PVE::RPCEnvironment::get();
+       my $authuser = $rpcenv->get_user();
+
        my $res = [];
 
        my $usercfg = cfs_read_file("user.cfg");
  
        foreach my $user (keys %{$usercfg->{users}}) {
-           next if $user eq 'root';
-           
+           # root sees all entries, a user only sees its own entry
+           next if $authuser ne 'root@pam' && $user ne $authuser;
+
            my $entry = &$extract_user_data($usercfg->{users}->{$user});
 
            if (defined($param->{enabled})) {
@@ -90,7 +95,7 @@ __PACKAGE__->register_method ({
        additionalProperties => 0,
        properties => {
            userid => get_standard_option('userid'),
-           password => { type => 'string', optional => 1 },
+           password => { type => 'string', optional => 1, minLength => 5, maxLength => 64 },
            groups => { type => 'string', optional => 1, format => 'pve-groupid-list'},
            firstname => { type => 'string', optional => 1 },
            lastname => { type => 'string', optional => 1 },
@@ -125,7 +130,7 @@ __PACKAGE__->register_method ({
                    if $usercfg->{users}->{$username};
                         
                PVE::AccessControl::domain_set_password($realm, $ruid, $param->{password})
-                   if $param->{password};
+                   if defined($param->{password});
 
                my $enable = defined($param->{enable}) ? $param->{enable} : 1;
                $usercfg->{users}->{$username} = { enable => $enable };
@@ -200,7 +205,7 @@ __PACKAGE__->register_method ({
        additionalProperties => 0,
        properties => {
            userid => get_standard_option('userid'),
-           password => { type => 'string', optional => 1 },
+           password => { type => 'string', optional => 1, minLength => 5, maxLength => 64 },
            groups => { type => 'string', optional => 1,  format => 'pve-groupid-list'  },
            append => { 
                type => 'boolean', 
@@ -240,14 +245,14 @@ __PACKAGE__->register_method ({
                    if !$usercfg->{users}->{$username};
 
                PVE::AccessControl::domain_set_password($realm, $ruid, $param->{password})
-                   if $param->{password};
+                   if defined($param->{password});
 
                $usercfg->{users}->{$username}->{enable} = $param->{enable} if defined($param->{enable});
 
                $usercfg->{users}->{$username}->{expire} = $param->{expire} if defined($param->{expire});
 
                PVE::AccessControl::delete_user_group($username, $usercfg) 
-                   if (!$param->{append} && $param->{groups});
+                   if (!$param->{append} && defined($param->{groups}));
 
                if ($param->{groups}) {
                    foreach my $group (split_list($param->{groups})) {