X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=PVE%2FAPI2%2FACL.pm;h=866e0237459541ad6c9b246c1cd12eb22f27d21d;hp=66f4129280fe937e537e887b54b0e4e8043f8b58;hb=bcf4eb3d4960aa2b3d1e63c482fc35b83bab2c0a;hpb=9691923469709bd3f5660748e17a6036ad80faaa diff --git a/PVE/API2/ACL.pm b/PVE/API2/ACL.pm index 66f4129..866e023 100644 --- a/PVE/API2/ACL.pm +++ b/PVE/API2/ACL.pm @@ -6,22 +6,35 @@ use PVE::Cluster qw (cfs_read_file cfs_write_file); use PVE::Tools qw(split_list); use PVE::AccessControl; use PVE::Exception qw(raise_param_exc); +use PVE::JSONSchema qw(get_standard_option register_standard_option); use PVE::SafeSyslog; -use Data::Dumper; # fixme: remove - use PVE::RESTHandler; use base qw(PVE::RESTHandler); +register_standard_option('acl-propagate', { + description => "Allow to propagate (inherit) permissions.", + type => 'boolean', + title => 'Propagate', + optional => 1, + default => 1, +}); +register_standard_option('acl-path', { + description => "Access control path", + title => 'Path', + type => 'string', +}); + __PACKAGE__->register_method ({ - name => 'read_acl', - path => '', + name => 'read_acl', + path => '', method => 'GET', description => "Get Access Control List (ACLs).", - permissions => { - check => ['perm', '/access', ['Sys.Audit', 'Permissions.Modify'], any => 1], + permissions => { + description => "The returned list is restricted to objects where you have rights to modify permissions.", + user => 'all', }, parameters => { additionalProperties => 0, @@ -33,30 +46,34 @@ __PACKAGE__->register_method ({ type => "object", additionalProperties => 0, properties => { - path => { type => 'string' }, - type => { type => 'string', enum => ['user', 'group'] }, - ugid => { type => 'string' }, - roleid => { type => 'string' }, - propagate => { type => 'boolean' }, + propagate => get_standard_option('acl-propagate'), + path => get_standard_option('acl-path'), + type => { type => 'string', title => 'Type', enum => ['user', 'group'] }, + ugid => { type => 'string', title => 'ID' }, + roleid => { type => 'string', title => 'Role' }, }, }, }, code => sub { my ($param) = @_; - - my $res = []; - my $usercfg = cfs_read_file("user.cfg"); + my $rpcenv = PVE::RPCEnvironment::get(); + my $authuser = $rpcenv->get_user(); + my $res = []; + my $usercfg = $rpcenv->{user_cfg}; if (!$usercfg || !$usercfg->{acl}) { - return {}; + return $res; } + my $audit = $rpcenv->check($authuser, '/access', ['Sys.Audit'], 1); + my $acl = $usercfg->{acl}; foreach my $path (keys %$acl) { foreach my $type (qw(users groups)) { my $d = $acl->{$path}->{$type}; next if !$d; + next if !($audit || $rpcenv->check_perm_modify($authuser, $path, 1)); foreach my $id (keys %$d) { foreach my $role (keys %{$d->{$id}}) { my $propagate = $d->{$id}->{$role}; @@ -76,43 +93,36 @@ __PACKAGE__->register_method ({ }}); __PACKAGE__->register_method ({ - name => 'update_acl', + name => 'update_acl', protected => 1, - path => '', + path => '', method => 'PUT', - permissions => { - check => ['perm', '/access', ['Permissions.Modify']], + permissions => { + check => ['perm-modify', '{path}'], }, description => "Update Access Control List (add or remove permissions).", parameters => { - additionalProperties => 0, + additionalProperties => 0, properties => { - path => { - description => "Access control path", - type => 'string', - }, - users => { + propagate => get_standard_option('acl-propagate'), + path => get_standard_option('acl-path'), + users => { description => "List of users.", - type => 'string', format => 'pve-userid-list', + type => 'string', format => 'pve-userid-list', optional => 1, }, - groups => { + groups => { description => "List of groups.", type => 'string', format => 'pve-groupid-list', - optional => 1, + optional => 1, }, - roles => { + roles => { description => "List of roles.", type => 'string', format => 'pve-roleid-list', }, - propagate => { - description => "Allow to propagate (inherit) permissions.", - type => 'boolean', - optional => 1, - }, delete => { description => "Remove permissions (instead of adding it).", - type => 'boolean', + type => 'boolean', optional => 1, }, }, @@ -122,8 +132,8 @@ __PACKAGE__->register_method ({ my ($param) = @_; if (!($param->{users} || $param->{groups})) { - raise_param_exc({ - users => "either 'users' or 'groups' is required.", + raise_param_exc({ + users => "either 'users' or 'groups' is required.", groups => "either 'users' or 'groups' is required." }); } @@ -132,13 +142,17 @@ __PACKAGE__->register_method ({ PVE::AccessControl::lock_user_config( sub { - + my $cfg = cfs_read_file("user.cfg"); - my $propagate = $param->{propagate} ? 1 : 0; + my $propagate = 1; + + if (defined($param->{propagate})) { + $propagate = $param->{propagate} ? 1 : 0; + } foreach my $role (split_list($param->{roles})) { - die "role '$role' does not exist\n" + die "role '$role' does not exist\n" if !$cfg->{roles}->{$role}; foreach my $group (split_list($param->{groups})) { @@ -163,7 +177,7 @@ __PACKAGE__->register_method ({ delete($cfg->{acl}->{$path}->{users}->{$username}->{$role}); } else { $cfg->{acl}->{$path}->{users}->{$username}->{$role} = $propagate; - } + } } }