X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=PVE%2FAPI2%2FGroup.pm;h=27051a457a5364f0ef3a84342bcf13e5eab87b12;hp=435e0190890ec4a698b253f26a539631b60037fa;hb=e4f8fc2e7e5f31691629a5361000636f8a2b2398;hpb=9691923469709bd3f5660748e17a6036ad80faaa diff --git a/PVE/API2/Group.pm b/PVE/API2/Group.pm index 435e019..27051a4 100644 --- a/PVE/API2/Group.pm +++ b/PVE/API2/Group.pm @@ -4,37 +4,18 @@ use strict; use warnings; use PVE::Cluster qw (cfs_read_file cfs_write_file); use PVE::AccessControl; - use PVE::SafeSyslog; - -use Data::Dumper; # fixme: remove - use PVE::RESTHandler; use base qw(PVE::RESTHandler); -my $extract_group_data = sub { - my ($data, $full) = @_; - - my $res = {}; - - $res->{comment} = $data->{comment} if defined($data->{comment}); - - return $res if !$full; - - $res->{users} = $data->{users} ? [ keys %{$data->{users}} ] : []; - - return $res; -}; - -# fixme: index should return more/all attributes? __PACKAGE__->register_method ({ name => 'index', path => '', method => 'GET', description => "Group index.", permissions => { - description => "The returned list is restricted to groups where you have 'User.Add' or 'Sys.Audit' permissions on '/access', or 'User.Add' on /access/groups/.", + description => "The returned list is restricted to groups where you have 'User.Modify', 'Sys.Audit' or 'Group.Allocate' permissions on /access/groups/.", user => 'all', }, parameters => { @@ -60,14 +41,13 @@ __PACKAGE__->register_method ({ my $usercfg = cfs_read_file("user.cfg"); my $authuser = $rpcenv->get_user(); - my $privs = [ 'User.Add', 'Sys.Audit' ]; - my $allow = $rpcenv->check_any($authuser, "/access", $privs, 1); - my $allowed_groups = $rpcenv->filter_groups($authuser, $privs, 1); - + my $privs = [ 'User.Modify', 'Sys.Audit', 'Group.Allocate']; + foreach my $group (keys %{$usercfg->{groups}}) { - next if !($allow || $allowed_groups->{$group}); - my $entry = &$extract_group_data($usercfg->{groups}->{$group}); - $entry->{groupid} = $group; + next if !$rpcenv->check_any($authuser, "/access/groups/$group", $privs, 1); + my $data = $usercfg->{groups}->{$group}; + my $entry = { groupid => $group }; + $entry->{comment} = $data->{comment} if defined($data->{comment}); push @$res, $entry; } @@ -80,7 +60,7 @@ __PACKAGE__->register_method ({ path => '', method => 'POST', permissions => { - check => ['perm', '/access', ['Sys.Modify']], + check => ['perm', '/access/groups', ['Group.Allocate']], }, description => "Create new group.", parameters => { @@ -121,13 +101,12 @@ __PACKAGE__->register_method ({ path => '{groupid}', method => 'PUT', permissions => { - check => ['perm', '/access', ['Sys.Modify']], + check => ['perm', '/access/groups', ['Group.Allocate']], }, description => "Update group data.", parameters => { additionalProperties => 0, properties => { - # fixme: set/delete members groupid => { type => 'string', format => 'pve-groupid' }, comment => { type => 'string', optional => 1 }, }, @@ -148,22 +127,21 @@ __PACKAGE__->register_method ({ die "group '$group' does not exist\n" if !$data; - $data->{comment} = $param->{comment} if $param->{comment}; + $data->{comment} = $param->{comment} if defined($param->{comment}); cfs_write_file("user.cfg", $usercfg); - }, "create group failed"); + }, "update group failed"); return undef; }}); -# fixme: return format! __PACKAGE__->register_method ({ name => 'read_group', path => '{groupid}', method => 'GET', permissions => { - check => ['perm', '/access', ['Sys.Audit']], - }, + check => ['perm', '/access/groups', ['Sys.Audit', 'Group.Allocate'], any => 1], + }, description => "Get group configuration.", parameters => { additionalProperties => 0, @@ -171,7 +149,19 @@ __PACKAGE__->register_method ({ groupid => { type => 'string', format => 'pve-groupid' }, }, }, - returns => {}, + returns => { + type => "object", + additionalProperties => 0, + properties => { + comment => { type => 'string', optional => 1 }, + members => { + type => 'array', + items => { + type => "string", + }, + }, + }, + }, code => sub { my ($param) = @_; @@ -183,7 +173,13 @@ __PACKAGE__->register_method ({ die "group '$group' does not exist\n" if !$data; - return &$extract_group_data($data, 1); + my $members = $data->{users} ? [ keys %{$data->{users}} ] : []; + + my $res = { members => $members }; + + $res->{comment} = $data->{comment} if defined($data->{comment}); + + return $res; }}); @@ -193,7 +189,7 @@ __PACKAGE__->register_method ({ path => '{groupid}', method => 'DELETE', permissions => { - check => ['perm', '/access', ['Sys.Modify']], + check => ['perm', '/access/groups', ['Group.Allocate']], }, description => "Delete group.", parameters => {