X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=PVE%2FAPI2%2FACL.pm;h=84d7549cfb7809768ee63181aa1542595d27205d;hp=66f4129280fe937e537e887b54b0e4e8043f8b58;hb=e4f8fc2e7e5f31691629a5361000636f8a2b2398;hpb=9691923469709bd3f5660748e17a6036ad80faaa

diff --git a/PVE/API2/ACL.pm b/PVE/API2/ACL.pm
index 66f4129..84d7549 100644
--- a/PVE/API2/ACL.pm
+++ b/PVE/API2/ACL.pm
@@ -21,7 +21,8 @@ __PACKAGE__->register_method ({
     method => 'GET',
     description => "Get Access Control List (ACLs).",
     permissions => { 
-	check => ['perm', '/access', ['Sys.Audit', 'Permissions.Modify'], any => 1],
+	description => "The returned list is restricted to objects where you have rights to modify permissions.",
+	user => 'all',
     },
     parameters => {
 	additionalProperties => 0,
@@ -44,19 +45,23 @@ __PACKAGE__->register_method ({
     code => sub {
 	my ($param) = @_;
     
+	my $rpcenv = PVE::RPCEnvironment::get();
+	my $authuser = $rpcenv->get_user();
 	my $res = [];
 
-	my $usercfg = cfs_read_file("user.cfg");
-
+	my $usercfg = $rpcenv->{user_cfg};
 	if (!$usercfg || !$usercfg->{acl}) {
-	    return {};
+	    return $res;
 	}
 
+	my $audit = $rpcenv->check($authuser, '/access', ['Sys.Audit'], 1);
+
 	my $acl = $usercfg->{acl};
 	foreach my $path (keys %$acl) {
 	    foreach my $type (qw(users groups)) {
 		my $d = $acl->{$path}->{$type};
 		next if !$d;
+		next if !($audit || $rpcenv->check_perm_modify($authuser, $path, 1));
 		foreach my $id (keys %$d) {
 		    foreach my $role (keys %{$d->{$id}}) {
 			my $propagate = $d->{$id}->{$role};
@@ -81,7 +86,7 @@ __PACKAGE__->register_method ({
     path => '', 
     method => 'PUT',
     permissions => { 
-	check => ['perm', '/access', ['Permissions.Modify']],
+	check => ['perm-modify', '{path}'],
     },
     description => "Update Access Control List (add or remove permissions).",
     parameters => {
@@ -109,6 +114,7 @@ __PACKAGE__->register_method ({
 		description => "Allow to propagate (inherit) permissions.",
 		type => 'boolean', 
 		optional => 1,
+		default => 1,
 	    },
 	    delete => {
 		description => "Remove permissions (instead of adding it).",
@@ -135,7 +141,11 @@ __PACKAGE__->register_method ({
 			
 		my $cfg = cfs_read_file("user.cfg");
 
-		my $propagate = $param->{propagate} ? 1 : 0;
+		my $propagate = 1;
+		
+		if (defined($param->{propagate})) {
+		    $propagate = $param->{propagate} ? 1 : 0;
+		}
 
 		foreach my $role (split_list($param->{roles})) {
 		    die "role '$role' does not exist\n"