X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=PVE%2FAPI2%2FRole.pm;h=156d3b89bc4015060ae851bd180bd10a7ce2c394;hp=0216c8dfc62c8cf50227923450d7ad2648bf6be1;hb=bcf4eb3d4960aa2b3d1e63c482fc35b83bab2c0a;hpb=894e6f0c4b166d09f5623c06812edb3ec5e8bf62 diff --git a/PVE/API2/Role.pm b/PVE/API2/Role.pm index 0216c8d..156d3b8 100644 --- a/PVE/API2/Role.pm +++ b/PVE/API2/Role.pm @@ -4,21 +4,32 @@ use strict; use warnings; use PVE::Cluster qw (cfs_read_file cfs_write_file); use PVE::AccessControl; +use PVE::JSONSchema qw(get_standard_option register_standard_option); use PVE::SafeSyslog; -use Data::Dumper; # fixme: remove - use PVE::RESTHandler; use base qw(PVE::RESTHandler); +register_standard_option('role-id', { + type => 'string', + format => 'pve-roleid', + title => 'Role ID', + print_width => 30 +}); +register_standard_option('role-privs', { + type => 'string' , + format => 'pve-priv-list', + optional => 1, title => 'Privileges', +}); + __PACKAGE__->register_method ({ - name => 'index', - path => '', + name => 'index', + path => '', method => 'GET', description => "Role index.", - permissions => { + permissions => { user => 'all', }, parameters => { @@ -30,41 +41,46 @@ __PACKAGE__->register_method ({ items => { type => "object", properties => { - roleid => { type => 'string' }, + roleid => get_standard_option('role-id'), + privs => get_standard_option('role-privs'), + special => { type => 'boolean', optional => 1, default => 0, title => 'Built-In' }, }, }, links => [ { rel => 'child', href => "{roleid}" } ], }, code => sub { my ($param) = @_; - + my $res = []; my $usercfg = cfs_read_file("user.cfg"); - + foreach my $role (keys %{$usercfg->{roles}}) { my $privs = join(',', sort keys %{$usercfg->{roles}->{$role}}); - push @$res, { roleid => $role, privs => $privs, - special => PVE::AccessControl::role_is_special($role) }; + push @$res, { + roleid => $role, + privs => $privs, + special => PVE::AccessControl::role_is_special($role), + }; } return $res; - }}); +}}); __PACKAGE__->register_method ({ - name => 'create_role', + name => 'create_role', protected => 1, - path => '', + path => '', method => 'POST', - permissions => { + permissions => { check => ['perm', '/access', ['Sys.Modify']], }, description => "Create new role.", parameters => { - additionalProperties => 0, + additionalProperties => 0, properties => { - roleid => { type => 'string', format => 'pve-roleid' }, - privs => { type => 'string' , format => 'pve-priv-list', optional => 1 }, + roleid => get_standard_option('role-id'), + privs => get_standard_option('role-privs'), }, }, returns => { type => 'null' }, @@ -73,12 +89,12 @@ __PACKAGE__->register_method ({ PVE::AccessControl::lock_user_config( sub { - + my $usercfg = cfs_read_file("user.cfg"); my $role = $param->{roleid}; - die "role '$role' already exists\n" + die "role '$role' already exists\n" if $usercfg->{roles}->{$role}; $usercfg->{roles}->{$role} = {}; @@ -89,27 +105,23 @@ __PACKAGE__->register_method ({ }, "create role failed"); return undef; - }}); +}}); __PACKAGE__->register_method ({ - name => 'update_role', + name => 'update_role', protected => 1, - path => '{roleid}', + path => '{roleid}', method => 'PUT', - permissions => { + permissions => { check => ['perm', '/access', ['Sys.Modify']], }, - description => "Create new role.", + description => "Update an existing role.", parameters => { - additionalProperties => 0, + additionalProperties => 0, properties => { - roleid => { type => 'string', format => 'pve-roleid' }, - privs => { type => 'string' , format => 'pve-priv-list' }, - append => { - type => 'boolean', - optional => 1, - requires => 'privs', - }, + roleid => get_standard_option('role-id'), + privs => get_standard_option('role-privs'), + append => { type => 'boolean', optional => 1, requires => 'privs' }, }, }, returns => { type => 'null' }, @@ -118,12 +130,12 @@ __PACKAGE__->register_method ({ PVE::AccessControl::lock_user_config( sub { - + my $role = $param->{roleid}; my $usercfg = cfs_read_file("user.cfg"); - - die "role '$role' does not exist\n" + + die "role '$role' does not exist\n" if !$usercfg->{roles}->{$role}; $usercfg->{roles}->{$role} = {} if !$param->{append}; @@ -134,24 +146,29 @@ __PACKAGE__->register_method ({ }, "update role failed"); return undef; - }}); +}}); -# fixme: return format! __PACKAGE__->register_method ({ - name => 'read_role', - path => '{roleid}', + name => 'read_role', + path => '{roleid}', method => 'GET', - permissions => { + permissions => { user => 'all', }, description => "Get role configuration.", parameters => { - additionalProperties => 0, + additionalProperties => 0, properties => { - roleid => { type => 'string' , format => 'pve-roleid' }, + roleid => get_standard_option('role-id'), + }, + }, + returns => { + type => "object", + additionalProperties => 0, + properties => { + privs => get_standard_option('role-privs'), }, }, - returns => {}, code => sub { my ($param) = @_; @@ -164,40 +181,39 @@ __PACKAGE__->register_method ({ die "role '$role' does not exist\n" if !$data; return $data; - }}); - + } +}); __PACKAGE__->register_method ({ - name => 'delete_role', + name => 'delete_role', protected => 1, - path => '{roleid}', + path => '{roleid}', method => 'DELETE', - permissions => { + permissions => { check => ['perm', '/access', ['Sys.Modify']], }, description => "Delete role.", parameters => { - additionalProperties => 0, + additionalProperties => 0, properties => { - roleid => { type => 'string', format => 'pve-roleid' }, - } + roleid => get_standard_option('role-id'), + }, }, returns => { type => 'null' }, code => sub { my ($param) = @_; - PVE::AccessControl::lock_user_config( - sub { + my $role = $param->{roleid}; - my $role = $param->{roleid}; + die "auto-generated role '$role' cannot be deleted\n" + if PVE::AccessControl::role_is_special($role); + PVE::AccessControl::lock_user_config( + sub { my $usercfg = cfs_read_file("user.cfg"); die "role '$role' does not exist\n" if !$usercfg->{roles}->{$role}; - - die "auto-generated role '$role' can not be deleted\n" - if PVE::AccessControl::role_is_special($role); delete ($usercfg->{roles}->{$role}); @@ -205,8 +221,9 @@ __PACKAGE__->register_method ({ cfs_write_file("user.cfg", $usercfg); }, "delete role failed"); - + return undef; - }}); + } +}); 1;