use strict;
use warnings;
+use PVE::Exception qw(raise raise_perm_exc);
use PVE::Cluster qw (cfs_read_file cfs_write_file);
use PVE::Tools qw(split_list);
use PVE::AccessControl;
path => '',
method => 'GET',
description => "User index.",
+ permissions => {
+ description => "The returned list is restricted to users where you have 'User.Modify' or 'Sys.Audit' permissions on '/access/groups' or on a group the user belongs too. But it always includes the current (authenticated) user.",
+ user => 'all',
+ },
parameters => {
additionalProperties => 0,
- properties => {},
+ properties => {
+ enabled => {
+ type => 'boolean',
+ description => "Optional filter for enable property.",
+ optional => 1,
+ }
+ },
},
returns => {
type => 'array',
code => sub {
my ($param) = @_;
+ my $rpcenv = PVE::RPCEnvironment::get();
+ my $usercfg = $rpcenv->{user_cfg};
+ my $authuser = $rpcenv->get_user();
+
my $res = [];
- my $usercfg = cfs_read_file("user.cfg");
-
+ my $privs = [ 'User.Modify', 'Sys.Audit' ];
+ my $canUserMod = $rpcenv->check_any($authuser, "/access/groups", $privs, 1);
+ my $groups = $rpcenv->filter_groups($authuser, $privs, 1);
+ my $allowed_users = $rpcenv->group_member_join([keys %$groups]);
+
foreach my $user (keys %{$usercfg->{users}}) {
- next if $user eq 'root';
+
+ if (!($canUserMod || $user eq $authuser)) {
+ next if !$allowed_users->{$user};
+ }
my $entry = &$extract_user_data($usercfg->{users}->{$user});
+
+ if (defined($param->{enabled})) {
+ next if $entry->{enable} && !$param->{enabled};
+ next if !$entry->{enable} && $param->{enabled};
+ }
+
$entry->{userid} = $user;
push @$res, $entry;
}
protected => 1,
path => '',
method => 'POST',
+ permissions => {
+ description => "You need 'Realm.AllocateUser' on '/access/realm/<realm>' on the realm of user <userid>, and 'User.Modify' permissions to '/access/groups/<group>' for any group specified (or 'User.Modify' on '/access/groups' if you pass no groups.",
+ check => [ 'and',
+ [ 'userid-param', 'Realm.AllocateUser'],
+ [ 'userid-group', ['User.Modify'], groups_param => 1],
+ ],
+ },
description => "Create new user.",
parameters => {
additionalProperties => 0,
properties => {
userid => get_standard_option('userid'),
- password => { type => 'string', optional => 1 },
+ password => {
+ description => "Initial password.",
+ type => 'string',
+ optional => 1,
+ minLength => 5,
+ maxLength => 64
+ },
groups => { type => 'string', optional => 1, format => 'pve-groupid-list'},
firstname => { type => 'string', optional => 1 },
lastname => { type => 'string', optional => 1 },
if $usercfg->{users}->{$username};
PVE::AccessControl::domain_set_password($realm, $ruid, $param->{password})
- if $param->{password};
+ if defined($param->{password});
my $enable = defined($param->{enable}) ? $param->{enable} : 1;
$usercfg->{users}->{$username} = { enable => $enable };
path => '{userid}',
method => 'GET',
description => "Get user configuration.",
+ permissions => {
+ check => ['userid-group', ['User.Modify', 'Sys.Audit']],
+ },
parameters => {
additionalProperties => 0,
properties => {
PVE::AccessControl::verify_username($param->{userid});
my $usercfg = cfs_read_file("user.cfg");
-
- my $data = $usercfg->{users}->{$username};
-
- die "user '$username' does not exist\n" if !$data;
+ my $data = PVE::AccessControl::check_user_exist($usercfg, $username);
+
return &$extract_user_data($data, 1);
}});
protected => 1,
path => '{userid}',
method => 'PUT',
+ permissions => {
+ check => ['userid-group', ['User.Modify'], groups_param => 1 ],
+ },
description => "Update user configuration.",
parameters => {
additionalProperties => 0,
properties => {
userid => get_standard_option('userid'),
- password => { type => 'string', optional => 1 },
groups => { type => 'string', optional => 1, format => 'pve-groupid-list' },
append => {
type => 'boolean',
returns => { type => 'null' },
code => sub {
my ($param) = @_;
+
+ my ($username, $ruid, $realm) =
+ PVE::AccessControl::verify_username($param->{userid});
PVE::AccessControl::lock_user_config(
sub {
-
- my ($username, $ruid, $realm) =
- PVE::AccessControl::verify_username($param->{userid});
my $usercfg = cfs_read_file("user.cfg");
- die "user '$username' does not exist\n"
- if !$usercfg->{users}->{$username};
-
- PVE::AccessControl::domain_set_password($realm, $ruid, $param->{password})
- if $param->{password};
+ PVE::AccessControl::check_user_exist($usercfg, $username);
$usercfg->{users}->{$username}->{enable} = $param->{enable} if defined($param->{enable});
$usercfg->{users}->{$username}->{expire} = $param->{expire} if defined($param->{expire});
PVE::AccessControl::delete_user_group($username, $usercfg)
- if (!$param->{append} && $param->{groups});
+ if (!$param->{append} && defined($param->{groups}));
if ($param->{groups}) {
foreach my $group (split_list($param->{groups})) {
path => '{userid}',
method => 'DELETE',
description => "Delete user.",
+ permissions => {
+ check => [ 'and',
+ [ 'userid-param', 'Realm.AllocateUser'],
+ [ 'userid-group', ['User.Modify']],
+ ],
+ },
parameters => {
additionalProperties => 0,
properties => {
returns => { type => 'null' },
code => sub {
my ($param) = @_;
+
+ my $rpcenv = PVE::RPCEnvironment::get();
+ my $authuser = $rpcenv->get_user();
+
+ my ($userid, $ruid, $realm) =
+ PVE::AccessControl::verify_username($param->{userid});
PVE::AccessControl::lock_user_config(
sub {
- my ($username, $ruid, $realm) =
- PVE::AccessControl::verify_username($param->{userid});
-
my $usercfg = cfs_read_file("user.cfg");
- die "user '$username' does not exist\n"
- if !$usercfg->{users}->{$username};
-
- delete ($usercfg->{users}->{$username});
+ delete ($usercfg->{users}->{$userid});
PVE::AccessControl::delete_shadow_password($ruid) if $realm eq 'pve';
- PVE::AccessControl::delete_user_group($username, $usercfg);
- PVE::AccessControl::delete_user_acl($username, $usercfg);
+
+ PVE::AccessControl::delete_user_group($userid, $usercfg);
+ PVE::AccessControl::delete_user_acl($userid, $usercfg);
cfs_write_file("user.cfg", $usercfg);
}, "delete user failed");