X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=PVE%2FAPI2%2FRole.pm;h=bc77305ef54ed6302bd378e3088f5c3d16770d63;hp=396ba488f8684994272dd63031ff52249eb13262;hb=e41cc73c52cc784da82c8e96a7bcfbb0e017dbb5;hpb=2c3a6c0aaac7fbdaeb26bc5a596d21e897f3343a diff --git a/PVE/API2/Role.pm b/PVE/API2/Role.pm index 396ba48..bc77305 100644 --- a/PVE/API2/Role.pm +++ b/PVE/API2/Role.pm @@ -7,17 +7,18 @@ use PVE::AccessControl; use PVE::SafeSyslog; -use Data::Dumper; # fixme: remove - use PVE::RESTHandler; use base qw(PVE::RESTHandler); __PACKAGE__->register_method ({ - name => 'index', - path => '', + name => 'index', + path => '', method => 'GET', description => "Role index.", + permissions => { + user => 'all', + }, parameters => { additionalProperties => 0, properties => {}, @@ -34,27 +35,31 @@ __PACKAGE__->register_method ({ }, code => sub { my ($param) = @_; - + my $res = []; my $usercfg = cfs_read_file("user.cfg"); - + foreach my $role (keys %{$usercfg->{roles}}) { my $privs = join(',', sort keys %{$usercfg->{roles}->{$role}}); - push @$res, { roleid => $role, privs => $privs }; + push @$res, { roleid => $role, privs => $privs, + special => PVE::AccessControl::role_is_special($role) }; } return $res; - }}); +}}); __PACKAGE__->register_method ({ - name => 'create_role', + name => 'create_role', protected => 1, - path => '', + path => '', method => 'POST', + permissions => { + check => ['perm', '/access', ['Sys.Modify']], + }, description => "Create new role.", parameters => { - additionalProperties => 0, + additionalProperties => 0, properties => { roleid => { type => 'string', format => 'pve-roleid' }, privs => { type => 'string' , format => 'pve-priv-list', optional => 1 }, @@ -66,12 +71,12 @@ __PACKAGE__->register_method ({ PVE::AccessControl::lock_user_config( sub { - + my $usercfg = cfs_read_file("user.cfg"); my $role = $param->{roleid}; - die "role '$role' already exists\n" + die "role '$role' already exists\n" if $usercfg->{roles}->{$role}; $usercfg->{roles}->{$role} = {}; @@ -82,21 +87,24 @@ __PACKAGE__->register_method ({ }, "create role failed"); return undef; - }}); +}}); __PACKAGE__->register_method ({ - name => 'update_role', + name => 'update_role', protected => 1, - path => '{roleid}', + path => '{roleid}', method => 'PUT', + permissions => { + check => ['perm', '/access', ['Sys.Modify']], + }, description => "Create new role.", parameters => { - additionalProperties => 0, + additionalProperties => 0, properties => { roleid => { type => 'string', format => 'pve-roleid' }, privs => { type => 'string' , format => 'pve-priv-list' }, - append => { - type => 'boolean', + append => { + type => 'boolean', optional => 1, requires => 'privs', }, @@ -108,12 +116,12 @@ __PACKAGE__->register_method ({ PVE::AccessControl::lock_user_config( sub { - + my $role = $param->{roleid}; my $usercfg = cfs_read_file("user.cfg"); - - die "role '$role' does not exist\n" + + die "role '$role' does not exist\n" if !$usercfg->{roles}->{$role}; $usercfg->{roles}->{$role} = {} if !$param->{append}; @@ -124,16 +132,19 @@ __PACKAGE__->register_method ({ }, "update role failed"); return undef; - }}); +}}); # fixme: return format! __PACKAGE__->register_method ({ - name => 'read_role', - path => '{roleid}', + name => 'read_role', + path => '{roleid}', method => 'GET', + permissions => { + user => 'all', + }, description => "Get role configuration.", parameters => { - additionalProperties => 0, + additionalProperties => 0, properties => { roleid => { type => 'string' , format => 'pve-roleid' }, }, @@ -151,17 +162,19 @@ __PACKAGE__->register_method ({ die "role '$role' does not exist\n" if !$data; return $data; - }}); - +}}); __PACKAGE__->register_method ({ - name => 'delete_role', + name => 'delete_role', protected => 1, - path => '{roleid}', + path => '{roleid}', method => 'DELETE', + permissions => { + check => ['perm', '/access', ['Sys.Modify']], + }, description => "Delete role.", parameters => { - additionalProperties => 0, + additionalProperties => 0, properties => { roleid => { type => 'string', format => 'pve-roleid' }, } @@ -170,24 +183,26 @@ __PACKAGE__->register_method ({ code => sub { my ($param) = @_; - PVE::AccessControl::lock_user_config( - sub { + my $role = $param->{roleid}; - my $role = $param->{roleid}; + die "auto-generated role '$role' cannot be deleted\n" + if PVE::AccessControl::role_is_special($role); + PVE::AccessControl::lock_user_config( + sub { my $usercfg = cfs_read_file("user.cfg"); die "role '$role' does not exist\n" if !$usercfg->{roles}->{$role}; - + delete ($usercfg->{roles}->{$role}); # fixme: delete role from acl? cfs_write_file("user.cfg", $usercfg); }, "delete role failed"); - + return undef; - }}); +}}); 1;