X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=PVE%2FAPI2%2FGroup.pm;h=27051a457a5364f0ef3a84342bcf13e5eab87b12;hp=3a8022568c9bef1626756efeb5b16f96d81a8f9b;hb=fe2defd9d52b236b2c69498b2bf7d3be501a8462;hpb=2c3a6c0aaac7fbdaeb26bc5a596d21e897f3343a diff --git a/PVE/API2/Group.pm b/PVE/API2/Group.pm index 3a80225..27051a4 100644 --- a/PVE/API2/Group.pm +++ b/PVE/API2/Group.pm @@ -4,35 +4,20 @@ use strict; use warnings; use PVE::Cluster qw (cfs_read_file cfs_write_file); use PVE::AccessControl; - use PVE::SafeSyslog; - -use Data::Dumper; # fixme: remove - use PVE::RESTHandler; use base qw(PVE::RESTHandler); -my $extract_group_data = sub { - my ($data, $full) = @_; - - my $res = {}; - - $res->{comment} = $data->{comment} if defined($data->{comment}); - - return $res if !$full; - - $res->{users} = $data->{users} ? [ keys %{$data->{users}} ] : []; - - return $res; -}; - -# fixme: index should return more/all attributes? __PACKAGE__->register_method ({ name => 'index', path => '', method => 'GET', description => "Group index.", + permissions => { + description => "The returned list is restricted to groups where you have 'User.Modify', 'Sys.Audit' or 'Group.Allocate' permissions on /access/groups/.", + user => 'all', + }, parameters => { additionalProperties => 0, properties => {}, @@ -52,11 +37,17 @@ __PACKAGE__->register_method ({ my $res = []; + my $rpcenv = PVE::RPCEnvironment::get(); my $usercfg = cfs_read_file("user.cfg"); - + my $authuser = $rpcenv->get_user(); + + my $privs = [ 'User.Modify', 'Sys.Audit', 'Group.Allocate']; + foreach my $group (keys %{$usercfg->{groups}}) { - my $entry = &$extract_group_data($usercfg->{groups}->{$group}); - $entry->{groupid} = $group; + next if !$rpcenv->check_any($authuser, "/access/groups/$group", $privs, 1); + my $data = $usercfg->{groups}->{$group}; + my $entry = { groupid => $group }; + $entry->{comment} = $data->{comment} if defined($data->{comment}); push @$res, $entry; } @@ -68,6 +59,9 @@ __PACKAGE__->register_method ({ protected => 1, path => '', method => 'POST', + permissions => { + check => ['perm', '/access/groups', ['Group.Allocate']], + }, description => "Create new group.", parameters => { additionalProperties => 0, @@ -106,11 +100,13 @@ __PACKAGE__->register_method ({ protected => 1, path => '{groupid}', method => 'PUT', + permissions => { + check => ['perm', '/access/groups', ['Group.Allocate']], + }, description => "Update group data.", parameters => { additionalProperties => 0, properties => { - # fixme: set/delete members groupid => { type => 'string', format => 'pve-groupid' }, comment => { type => 'string', optional => 1 }, }, @@ -131,19 +127,21 @@ __PACKAGE__->register_method ({ die "group '$group' does not exist\n" if !$data; - $data->{comment} = $param->{comment} if $param->{comment}; + $data->{comment} = $param->{comment} if defined($param->{comment}); cfs_write_file("user.cfg", $usercfg); - }, "create group failed"); + }, "update group failed"); return undef; }}); -# fixme: return format! __PACKAGE__->register_method ({ name => 'read_group', path => '{groupid}', method => 'GET', + permissions => { + check => ['perm', '/access/groups', ['Sys.Audit', 'Group.Allocate'], any => 1], + }, description => "Get group configuration.", parameters => { additionalProperties => 0, @@ -151,7 +149,19 @@ __PACKAGE__->register_method ({ groupid => { type => 'string', format => 'pve-groupid' }, }, }, - returns => {}, + returns => { + type => "object", + additionalProperties => 0, + properties => { + comment => { type => 'string', optional => 1 }, + members => { + type => 'array', + items => { + type => "string", + }, + }, + }, + }, code => sub { my ($param) = @_; @@ -163,7 +173,13 @@ __PACKAGE__->register_method ({ die "group '$group' does not exist\n" if !$data; - return &$extract_group_data($data, 1); + my $members = $data->{users} ? [ keys %{$data->{users}} ] : []; + + my $res = { members => $members }; + + $res->{comment} = $data->{comment} if defined($data->{comment}); + + return $res; }}); @@ -172,6 +188,9 @@ __PACKAGE__->register_method ({ protected => 1, path => '{groupid}', method => 'DELETE', + permissions => { + check => ['perm', '/access/groups', ['Group.Allocate']], + }, description => "Delete group.", parameters => { additionalProperties => 0,