X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=PVE%2FAPI2%2FAccessControl.pm;h=5e132920cdedf197728a22133a4413d3a0788ecb;hp=141bc44831a61c5f55a3a3e6f3ff6c0965d78cb1;hb=ab652a80189a1498caba8c7f3f2641affe9ec3bf;hpb=dd2cfee072b8ebe8280595b250dafdb2786297af

diff --git a/PVE/API2/AccessControl.pm b/PVE/API2/AccessControl.pm
index 141bc44..5e13292 100644
--- a/PVE/API2/AccessControl.pm
+++ b/PVE/API2/AccessControl.pm
@@ -151,12 +151,22 @@ my $compute_api_permission = sub {
 	dc => {},
     };
 
-    foreach my $vmid (keys %$idlist, '__phantom__') {
-	my $perm = $rpcenv->permissions($authuser, "/vms/$vmid");
+    my $extract_vm_caps = sub {
+	my ($path) = @_;
+	
+	my $perm = $rpcenv->permissions($authuser, $path);
 	foreach my $priv (keys %$perm) {
-	    next if !($priv eq 'Permissions.Modify' ||$priv =~ m/^VM\./);
+	    next if !($priv eq 'Permissions.Modify' || $priv =~ m/^VM\./);
 	    $res->{vms}->{$priv} = 1;	
 	}
+    };
+
+    foreach my $pool (keys %{$usercfg->{pools}}) {
+	&$extract_vm_caps("/pool/$pool");
+    }
+
+    foreach my $vmid (keys %$idlist, '__phantom__') {
+	&$extract_vm_caps("/vms/$vmid");
     }
 
     foreach my $storeid (@sids, '__phantom__') {
@@ -196,6 +206,18 @@ my $compute_api_permission = sub {
     return $res;
 };
 
+__PACKAGE__->register_method ({
+    name => 'get_ticket', 
+    path => 'ticket', 
+    method => 'GET',
+    permissions => { user => 'world' },
+    description => "Dummy. Useful for formaters which want to priovde a login page.",
+    parameters => {
+	additionalProperties => 0,
+    },
+    returns => { type => "null" },
+    code => sub { return undef; }});
+  
 __PACKAGE__->register_method ({
     name => 'create_ticket', 
     path => 'ticket', 
@@ -254,7 +276,6 @@ __PACKAGE__->register_method ({
 	my $rpcenv = PVE::RPCEnvironment::get();
 
 	my $res;
-
 	eval {
 	    # test if user exists and is enabled
 	    $rpcenv->check_user_enabled($username);
@@ -269,7 +290,8 @@ __PACKAGE__->register_method ({
 	if (my $err = $@) {
 	    my $clientip = $rpcenv->get_client_ip() || '';
 	    syslog('err', "authentication failure; rhost=$clientip user=$username msg=$err");
-	    die $err;
+	    # do not return any info to prevent user enumeration attacks
+	    die PVE::Exception->new("authentication failure\n", code => 401);
 	}
 
 	$res->{cap} = &$compute_api_permission($rpcenv, $username);