X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=PVE%2FAPI2%2FACL.pm;h=84d7549cfb7809768ee63181aa1542595d27205d;hp=f122542defb292fc71d7d344f72217146ab761de;hb=e4f8fc2e7e5f31691629a5361000636f8a2b2398;hpb=2c3a6c0aaac7fbdaeb26bc5a596d21e897f3343a

diff --git a/PVE/API2/ACL.pm b/PVE/API2/ACL.pm
index f122542..84d7549 100644
--- a/PVE/API2/ACL.pm
+++ b/PVE/API2/ACL.pm
@@ -20,6 +20,10 @@ __PACKAGE__->register_method ({
     path => '', 
     method => 'GET',
     description => "Get Access Control List (ACLs).",
+    permissions => { 
+	description => "The returned list is restricted to objects where you have rights to modify permissions.",
+	user => 'all',
+    },
     parameters => {
 	additionalProperties => 0,
 	properties => {},
@@ -41,19 +45,23 @@ __PACKAGE__->register_method ({
     code => sub {
 	my ($param) = @_;
     
+	my $rpcenv = PVE::RPCEnvironment::get();
+	my $authuser = $rpcenv->get_user();
 	my $res = [];
 
-	my $usercfg = cfs_read_file("user.cfg");
-
+	my $usercfg = $rpcenv->{user_cfg};
 	if (!$usercfg || !$usercfg->{acl}) {
-	    return {};
+	    return $res;
 	}
 
+	my $audit = $rpcenv->check($authuser, '/access', ['Sys.Audit'], 1);
+
 	my $acl = $usercfg->{acl};
 	foreach my $path (keys %$acl) {
 	    foreach my $type (qw(users groups)) {
 		my $d = $acl->{$path}->{$type};
 		next if !$d;
+		next if !($audit || $rpcenv->check_perm_modify($authuser, $path, 1));
 		foreach my $id (keys %$d) {
 		    foreach my $role (keys %{$d->{$id}}) {
 			my $propagate = $d->{$id}->{$role};
@@ -77,6 +85,9 @@ __PACKAGE__->register_method ({
     protected => 1,
     path => '', 
     method => 'PUT',
+    permissions => { 
+	check => ['perm-modify', '{path}'],
+    },
     description => "Update Access Control List (add or remove permissions).",
     parameters => {
    	additionalProperties => 0,
@@ -103,6 +114,7 @@ __PACKAGE__->register_method ({
 		description => "Allow to propagate (inherit) permissions.",
 		type => 'boolean', 
 		optional => 1,
+		default => 1,
 	    },
 	    delete => {
 		description => "Remove permissions (instead of adding it).",
@@ -129,7 +141,11 @@ __PACKAGE__->register_method ({
 			
 		my $cfg = cfs_read_file("user.cfg");
 
-		my $propagate = $param->{propagate} ? 1 : 0;
+		my $propagate = 1;
+		
+		if (defined($param->{propagate})) {
+		    $propagate = $param->{propagate} ? 1 : 0;
+		}
 
 		foreach my $role (split_list($param->{roles})) {
 		    die "role '$role' does not exist\n"