X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=PVE%2FAPI2%2FRole.pm;h=bc77305ef54ed6302bd378e3088f5c3d16770d63;hp=6392e133a2bd673dcc96072c11f0a8ded689073f;hb=e41cc73c52cc784da82c8e96a7bcfbb0e017dbb5;hpb=82b63965ebbeb41d16a76051018992144eda0a6a diff --git a/PVE/API2/Role.pm b/PVE/API2/Role.pm index 6392e13..bc77305 100644 --- a/PVE/API2/Role.pm +++ b/PVE/API2/Role.pm @@ -7,18 +7,16 @@ use PVE::AccessControl; use PVE::SafeSyslog; -use Data::Dumper; # fixme: remove - use PVE::RESTHandler; use base qw(PVE::RESTHandler); __PACKAGE__->register_method ({ - name => 'index', - path => '', + name => 'index', + path => '', method => 'GET', description => "Role index.", - permissions => { + permissions => { user => 'all', }, parameters => { @@ -37,30 +35,31 @@ __PACKAGE__->register_method ({ }, code => sub { my ($param) = @_; - + my $res = []; my $usercfg = cfs_read_file("user.cfg"); - + foreach my $role (keys %{$usercfg->{roles}}) { my $privs = join(',', sort keys %{$usercfg->{roles}->{$role}}); - push @$res, { roleid => $role, privs => $privs }; + push @$res, { roleid => $role, privs => $privs, + special => PVE::AccessControl::role_is_special($role) }; } return $res; - }}); +}}); __PACKAGE__->register_method ({ - name => 'create_role', + name => 'create_role', protected => 1, - path => '', + path => '', method => 'POST', - permissions => { + permissions => { check => ['perm', '/access', ['Sys.Modify']], }, description => "Create new role.", parameters => { - additionalProperties => 0, + additionalProperties => 0, properties => { roleid => { type => 'string', format => 'pve-roleid' }, privs => { type => 'string' , format => 'pve-priv-list', optional => 1 }, @@ -72,12 +71,12 @@ __PACKAGE__->register_method ({ PVE::AccessControl::lock_user_config( sub { - + my $usercfg = cfs_read_file("user.cfg"); my $role = $param->{roleid}; - die "role '$role' already exists\n" + die "role '$role' already exists\n" if $usercfg->{roles}->{$role}; $usercfg->{roles}->{$role} = {}; @@ -88,24 +87,24 @@ __PACKAGE__->register_method ({ }, "create role failed"); return undef; - }}); +}}); __PACKAGE__->register_method ({ - name => 'update_role', + name => 'update_role', protected => 1, - path => '{roleid}', + path => '{roleid}', method => 'PUT', - permissions => { + permissions => { check => ['perm', '/access', ['Sys.Modify']], }, description => "Create new role.", parameters => { - additionalProperties => 0, + additionalProperties => 0, properties => { roleid => { type => 'string', format => 'pve-roleid' }, privs => { type => 'string' , format => 'pve-priv-list' }, - append => { - type => 'boolean', + append => { + type => 'boolean', optional => 1, requires => 'privs', }, @@ -117,12 +116,12 @@ __PACKAGE__->register_method ({ PVE::AccessControl::lock_user_config( sub { - + my $role = $param->{roleid}; my $usercfg = cfs_read_file("user.cfg"); - - die "role '$role' does not exist\n" + + die "role '$role' does not exist\n" if !$usercfg->{roles}->{$role}; $usercfg->{roles}->{$role} = {} if !$param->{append}; @@ -133,19 +132,19 @@ __PACKAGE__->register_method ({ }, "update role failed"); return undef; - }}); +}}); # fixme: return format! __PACKAGE__->register_method ({ - name => 'read_role', - path => '{roleid}', + name => 'read_role', + path => '{roleid}', method => 'GET', - permissions => { + permissions => { user => 'all', }, description => "Get role configuration.", parameters => { - additionalProperties => 0, + additionalProperties => 0, properties => { roleid => { type => 'string' , format => 'pve-roleid' }, }, @@ -163,20 +162,19 @@ __PACKAGE__->register_method ({ die "role '$role' does not exist\n" if !$data; return $data; - }}); - +}}); __PACKAGE__->register_method ({ - name => 'delete_role', + name => 'delete_role', protected => 1, - path => '{roleid}', + path => '{roleid}', method => 'DELETE', - permissions => { + permissions => { check => ['perm', '/access', ['Sys.Modify']], }, description => "Delete role.", parameters => { - additionalProperties => 0, + additionalProperties => 0, properties => { roleid => { type => 'string', format => 'pve-roleid' }, } @@ -185,24 +183,26 @@ __PACKAGE__->register_method ({ code => sub { my ($param) = @_; - PVE::AccessControl::lock_user_config( - sub { + my $role = $param->{roleid}; - my $role = $param->{roleid}; + die "auto-generated role '$role' cannot be deleted\n" + if PVE::AccessControl::role_is_special($role); + PVE::AccessControl::lock_user_config( + sub { my $usercfg = cfs_read_file("user.cfg"); die "role '$role' does not exist\n" if !$usercfg->{roles}->{$role}; - + delete ($usercfg->{roles}->{$role}); # fixme: delete role from acl? cfs_write_file("user.cfg", $usercfg); }, "delete role failed"); - + return undef; - }}); +}}); 1;