X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=PVE%2FAPI2%2FGroup.pm;h=1d6ba98bf605da4a3004bb9aae850358d1af7bd3;hp=883c45dde482b6c2c73fd1e1297a119a9f0c8e73;hb=bcf4eb3d4960aa2b3d1e63c482fc35b83bab2c0a;hpb=7b6f1fd306c17d38bbdf21edac7e930bbe2656d4 diff --git a/PVE/API2/Group.pm b/PVE/API2/Group.pm index 883c45d..1d6ba98 100644 --- a/PVE/API2/Group.pm +++ b/PVE/API2/Group.pm @@ -4,37 +4,28 @@ use strict; use warnings; use PVE::Cluster qw (cfs_read_file cfs_write_file); use PVE::AccessControl; - use PVE::SafeSyslog; - -use Data::Dumper; # fixme: remove - use PVE::RESTHandler; +use PVE::JSONSchema qw(get_standard_option register_standard_option); use base qw(PVE::RESTHandler); -my $extract_group_data = sub { - my ($data, $full) = @_; - - my $res = {}; - - $res->{comment} = $data->{comment} if defined($data->{comment}); - - return $res if !$full; +register_standard_option('group-id', { + type => 'string', + format => 'pve-groupid', + title => 'Group ID' , + completion => \&PVE::AccessControl::complete_group, +}); - $res->{users} = $data->{users} ? [ keys %{$data->{users}} ] : []; +register_standard_option('group-comment', { type => 'string', optional => 1 }); - return $res; -}; - -# fixme: index should return more/all attributes? __PACKAGE__->register_method ({ name => 'index', path => '', method => 'GET', description => "Group index.", permissions => { - description => "The returned list is restricted to groups where you have 'User.Allocate' or 'Sys.Audit' permissions on '/access', or 'User.Allocate' on /access/groups/.", + description => "The returned list is restricted to groups where you have 'User.Modify', 'Sys.Audit' or 'Group.Allocate' permissions on /access/groups/.", user => 'all', }, parameters => { @@ -46,7 +37,8 @@ __PACKAGE__->register_method ({ items => { type => "object", properties => { - groupid => { type => 'string' }, + groupid => get_standard_option('group-id'), + comment => get_standard_option('group-comment'), }, }, links => [ { rel => 'child', href => "{groupid}" } ], @@ -60,14 +52,13 @@ __PACKAGE__->register_method ({ my $usercfg = cfs_read_file("user.cfg"); my $authuser = $rpcenv->get_user(); - my $privs = [ 'User.Allocate', 'Sys.Audit' ]; - my $allow = $rpcenv->check_any($authuser, "/access", $privs, 1); - my $allowed_groups = $rpcenv->filter_groups($authuser, $privs, 1); - + my $privs = [ 'User.Modify', 'Sys.Audit', 'Group.Allocate']; + foreach my $group (keys %{$usercfg->{groups}}) { - next if !($allow || $allowed_groups->{$group}); - my $entry = &$extract_group_data($usercfg->{groups}->{$group}); - $entry->{groupid} = $group; + next if !$rpcenv->check_any($authuser, "/access/groups/$group", $privs, 1); + my $data = $usercfg->{groups}->{$group}; + my $entry = { groupid => $group }; + $entry->{comment} = $data->{comment} if defined($data->{comment}); push @$res, $entry; } @@ -80,14 +71,14 @@ __PACKAGE__->register_method ({ path => '', method => 'POST', permissions => { - check => ['perm', '/access', ['Sys.Modify']], + check => ['perm', '/access/groups', ['Group.Allocate']], }, description => "Create new group.", parameters => { additionalProperties => 0, properties => { - groupid => { type => 'string', format => 'pve-groupid' }, - comment => { type => 'string', optional => 1 }, + groupid => get_standard_option('group-id'), + comment => get_standard_option('group-comment'), }, }, returns => { type => 'null' }, @@ -121,15 +112,14 @@ __PACKAGE__->register_method ({ path => '{groupid}', method => 'PUT', permissions => { - check => ['perm', '/access', ['Sys.Modify']], + check => ['perm', '/access/groups', ['Group.Allocate']], }, description => "Update group data.", parameters => { additionalProperties => 0, properties => { - # fixme: set/delete members - groupid => { type => 'string', format => 'pve-groupid' }, - comment => { type => 'string', optional => 1 }, + groupid => get_standard_option('group-id'), + comment => get_standard_option('group-comment'), }, }, returns => { type => 'null' }, @@ -148,30 +138,39 @@ __PACKAGE__->register_method ({ die "group '$group' does not exist\n" if !$data; - $data->{comment} = $param->{comment} if $param->{comment}; + $data->{comment} = $param->{comment} if defined($param->{comment}); cfs_write_file("user.cfg", $usercfg); - }, "create group failed"); + }, "update group failed"); return undef; }}); -# fixme: return format! __PACKAGE__->register_method ({ name => 'read_group', path => '{groupid}', method => 'GET', permissions => { - check => ['perm', '/access', ['Sys.Audit']], - }, + check => ['perm', '/access/groups', ['Sys.Audit', 'Group.Allocate'], any => 1], + }, description => "Get group configuration.", parameters => { additionalProperties => 0, properties => { - groupid => { type => 'string', format => 'pve-groupid' }, + groupid => get_standard_option('group-id'), + }, + }, + returns => { + type => "object", + additionalProperties => 0, + properties => { + comment => get_standard_option('group-comment'), + members => { + type => 'array', + items => get_standard_option('userid-completed') + }, }, }, - returns => {}, code => sub { my ($param) = @_; @@ -183,7 +182,13 @@ __PACKAGE__->register_method ({ die "group '$group' does not exist\n" if !$data; - return &$extract_group_data($data, 1); + my $members = $data->{users} ? [ keys %{$data->{users}} ] : []; + + my $res = { members => $members }; + + $res->{comment} = $data->{comment} if defined($data->{comment}); + + return $res; }}); @@ -193,13 +198,13 @@ __PACKAGE__->register_method ({ path => '{groupid}', method => 'DELETE', permissions => { - check => ['perm', '/access', ['Sys.Modify']], + check => ['perm', '/access/groups', ['Group.Allocate']], }, description => "Delete group.", parameters => { additionalProperties => 0, properties => { - groupid => { type => 'string' , format => 'pve-groupid' }, + groupid => get_standard_option('group-id'), } }, returns => { type => 'null' },