X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=PVE%2FAPI2%2FRole.pm;h=83e4a9d4a9ab20b1efce78c4b433f6db3e0f72d2;hp=452fc6d5e1437173306a96431f92c5eaba7bf645;hb=0fea3f1677d5830a349cb7407b5a62a2e2ebe0f7;hpb=0a6e09fd4733d877b02d1d2aee26bf90e243b2a0 diff --git a/PVE/API2/Role.pm b/PVE/API2/Role.pm index 452fc6d..83e4a9d 100644 --- a/PVE/API2/Role.pm +++ b/PVE/API2/Role.pm @@ -4,6 +4,7 @@ use strict; use warnings; use PVE::Cluster qw (cfs_read_file cfs_write_file); use PVE::AccessControl; +use PVE::JSONSchema qw(get_standard_option register_standard_option); use PVE::SafeSyslog; @@ -11,6 +12,16 @@ use PVE::RESTHandler; use base qw(PVE::RESTHandler); +register_standard_option('role-id', { + type => 'string', + format => 'pve-roleid', +}); +register_standard_option('role-privs', { + type => 'string' , + format => 'pve-priv-list', + optional => 1, +}); + __PACKAGE__->register_method ({ name => 'index', path => '', @@ -28,7 +39,9 @@ __PACKAGE__->register_method ({ items => { type => "object", properties => { - roleid => { type => 'string' }, + roleid => get_standard_option('role-id'), + privs => get_standard_option('role-privs'), + special => { type => 'boolean', optional => 1, default => 0 }, }, }, links => [ { rel => 'child', href => "{roleid}" } ], @@ -42,8 +55,11 @@ __PACKAGE__->register_method ({ foreach my $role (keys %{$usercfg->{roles}}) { my $privs = join(',', sort keys %{$usercfg->{roles}->{$role}}); - push @$res, { roleid => $role, privs => $privs, - special => PVE::AccessControl::role_is_special($role) }; + push @$res, { + roleid => $role, + privs => $privs, + special => PVE::AccessControl::role_is_special($role), + }; } return $res; @@ -61,8 +77,8 @@ __PACKAGE__->register_method ({ parameters => { additionalProperties => 0, properties => { - roleid => { type => 'string', format => 'pve-roleid' }, - privs => { type => 'string' , format => 'pve-priv-list', optional => 1 }, + roleid => get_standard_option('role-id'), + privs => get_standard_option('role-privs'), }, }, returns => { type => 'null' }, @@ -97,17 +113,13 @@ __PACKAGE__->register_method ({ permissions => { check => ['perm', '/access', ['Sys.Modify']], }, - description => "Create new role.", + description => "Update an existing role.", parameters => { additionalProperties => 0, properties => { - roleid => { type => 'string', format => 'pve-roleid' }, - privs => { type => 'string' , format => 'pve-priv-list' }, - append => { - type => 'boolean', - optional => 1, - requires => 'privs', - }, + roleid => get_standard_option('role-id'), + privs => get_standard_option('role-privs'), + append => { type => 'boolean', optional => 1, requires => 'privs' }, }, }, returns => { type => 'null' }, @@ -134,7 +146,6 @@ __PACKAGE__->register_method ({ return undef; }}); -# fixme: return format! __PACKAGE__->register_method ({ name => 'read_role', path => '{roleid}', @@ -146,10 +157,14 @@ __PACKAGE__->register_method ({ parameters => { additionalProperties => 0, properties => { - roleid => { type => 'string' , format => 'pve-roleid' }, + roleid => get_standard_option('role-id'), }, }, - returns => {}, + returns => { + type => "object", + additionalProperties => 0, + properties => PVE::AccessControl::create_priv_properties(), + }, code => sub { my ($param) = @_; @@ -162,7 +177,8 @@ __PACKAGE__->register_method ({ die "role '$role' does not exist\n" if !$data; return $data; -}}); + } +}); __PACKAGE__->register_method ({ name => 'delete_role', @@ -176,26 +192,25 @@ __PACKAGE__->register_method ({ parameters => { additionalProperties => 0, properties => { - roleid => { type => 'string', format => 'pve-roleid' }, - } + roleid => get_standard_option('role-id'), + }, }, returns => { type => 'null' }, code => sub { my ($param) = @_; - PVE::AccessControl::lock_user_config( - sub { + my $role = $param->{roleid}; - my $role = $param->{roleid}; + die "auto-generated role '$role' cannot be deleted\n" + if PVE::AccessControl::role_is_special($role); + PVE::AccessControl::lock_user_config( + sub { my $usercfg = cfs_read_file("user.cfg"); die "role '$role' does not exist\n" if !$usercfg->{roles}->{$role}; - die "auto-generated role '$role' can not be deleted\n" - if PVE::AccessControl::role_is_special($role); - delete ($usercfg->{roles}->{$role}); # fixme: delete role from acl? @@ -204,6 +219,7 @@ __PACKAGE__->register_method ({ }, "delete role failed"); return undef; -}}); + } +}); 1;