X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=PVE%2FAPI2%2FACL.pm;h=866e0237459541ad6c9b246c1cd12eb22f27d21d;hp=8c5c388584f60ed211df315620a8ec04b19269dd;hb=bcf4eb3d4960aa2b3d1e63c482fc35b83bab2c0a;hpb=e3a3a0d746878fad68b2289d0e49c0bd7d954304

diff --git a/PVE/API2/ACL.pm b/PVE/API2/ACL.pm
index 8c5c388..866e023 100644
--- a/PVE/API2/ACL.pm
+++ b/PVE/API2/ACL.pm
@@ -6,21 +6,34 @@ use PVE::Cluster qw (cfs_read_file cfs_write_file);
 use PVE::Tools qw(split_list);
 use PVE::AccessControl;
 use PVE::Exception qw(raise_param_exc);
+use PVE::JSONSchema qw(get_standard_option register_standard_option);
 
 use PVE::SafeSyslog;
 
-use Data::Dumper; # fixme: remove
-
 use PVE::RESTHandler;
 
 use base qw(PVE::RESTHandler);
 
+register_standard_option('acl-propagate', {
+    description => "Allow to propagate (inherit) permissions.",
+    type => 'boolean',
+    title => 'Propagate',
+    optional => 1,
+    default => 1,
+});
+register_standard_option('acl-path', {
+    description => "Access control path",
+    title => 'Path',
+    type => 'string',
+});
+
 __PACKAGE__->register_method ({
-    name => 'read_acl', 
-    path => '', 
+    name => 'read_acl',
+    path => '',
     method => 'GET',
     description => "Get Access Control List (ACLs).",
-    permissions => { 
+    permissions => {
+	description => "The returned list is restricted to objects where you have rights to modify permissions.",
 	user => 'all',
     },
     parameters => {
@@ -33,24 +46,24 @@ __PACKAGE__->register_method ({
 	    type => "object",
 	    additionalProperties => 0,
 	    properties => {
-		path => { type => 'string' },
-		type => { type => 'string', enum => ['user', 'group'] },
-		ugid => { type => 'string' },
-		roleid => { type => 'string' },
-		propagate => { type => 'boolean' },
+		propagate => get_standard_option('acl-propagate'),
+		path => get_standard_option('acl-path'),
+		type => { type => 'string', title => 'Type', enum => ['user', 'group'] },
+		ugid => { type => 'string', title => 'ID' },
+		roleid => { type => 'string', title => 'Role' },
 	    },
 	},
     },
     code => sub {
 	my ($param) = @_;
-    
+
 	my $rpcenv = PVE::RPCEnvironment::get();
 	my $authuser = $rpcenv->get_user();
 	my $res = [];
 
 	my $usercfg = $rpcenv->{user_cfg};
 	if (!$usercfg || !$usercfg->{acl}) {
-	    return {};
+	    return $res;
 	}
 
 	my $audit = $rpcenv->check($authuser, '/access', ['Sys.Audit'], 1);
@@ -80,43 +93,36 @@ __PACKAGE__->register_method ({
     }});
 
 __PACKAGE__->register_method ({
-    name => 'update_acl', 
+    name => 'update_acl',
     protected => 1,
-    path => '', 
+    path => '',
     method => 'PUT',
-    permissions => { 
+    permissions => {
 	check => ['perm-modify', '{path}'],
     },
     description => "Update Access Control List (add or remove permissions).",
     parameters => {
-   	additionalProperties => 0,
+	additionalProperties => 0,
 	properties => {
-	    path => {
-		description => "Access control path",
-		type => 'string',
-	    },
-	    users => { 
+	    propagate => get_standard_option('acl-propagate'),
+	    path => get_standard_option('acl-path'),
+	    users => {
 		description => "List of users.",
-		type => 'string',  format => 'pve-userid-list',  
+		type => 'string',  format => 'pve-userid-list',
 		optional => 1,
 	    },
-	    groups => { 
+	    groups => {
 		description => "List of groups.",
 		type => 'string', format => 'pve-groupid-list',
-		optional => 1,  
+		optional => 1,
 	    },
-	    roles => { 
+	    roles => {
 		description => "List of roles.",
 		type => 'string', format => 'pve-roleid-list',
 	    },
-	    propagate => { 
-		description => "Allow to propagate (inherit) permissions.",
-		type => 'boolean', 
-		optional => 1,
-	    },
 	    delete => {
 		description => "Remove permissions (instead of adding it).",
-		type => 'boolean', 
+		type => 'boolean',
 		optional => 1,
 	    },
 	},
@@ -126,8 +132,8 @@ __PACKAGE__->register_method ({
 	my ($param) = @_;
 
 	if (!($param->{users} || $param->{groups})) {
-	    raise_param_exc({ 
-		users => "either 'users' or 'groups' is required.", 
+	    raise_param_exc({
+		users => "either 'users' or 'groups' is required.",
 		groups => "either 'users' or 'groups' is required." });
 	}
 
@@ -136,13 +142,17 @@ __PACKAGE__->register_method ({
 
 	PVE::AccessControl::lock_user_config(
 	    sub {
-			
+
 		my $cfg = cfs_read_file("user.cfg");
 
-		my $propagate = $param->{propagate} ? 1 : 0;
+		my $propagate = 1;
+
+		if (defined($param->{propagate})) {
+		    $propagate = $param->{propagate} ? 1 : 0;
+		}
 
 		foreach my $role (split_list($param->{roles})) {
-		    die "role '$role' does not exist\n" 
+		    die "role '$role' does not exist\n"
 			if !$cfg->{roles}->{$role};
 
 		    foreach my $group (split_list($param->{groups})) {
@@ -167,7 +177,7 @@ __PACKAGE__->register_method ({
 			    delete($cfg->{acl}->{$path}->{users}->{$username}->{$role});
 			} else {
 			    $cfg->{acl}->{$path}->{users}->{$username}->{$role} = $propagate;
-			} 
+			}
 		    }
 		}