X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=PVE%2FAPI2%2FUser.pm;h=602e3f030ba4bc990adf7717e659f1007cf1b7f5;hp=2d38dd1c59d6a339f7a6a661e0404d8518b71b5e;hb=5654af83fa4f8ffc4e44176eea6229716eae2036;hpb=37d45debb1e61873fb50836fc0864b5df5f8372e diff --git a/PVE/API2/User.pm b/PVE/API2/User.pm index 2d38dd1..602e3f0 100644 --- a/PVE/API2/User.pm +++ b/PVE/API2/User.pm @@ -10,8 +10,6 @@ use PVE::JSONSchema qw(get_standard_option); use PVE::SafeSyslog; -use Data::Dumper; # fixme: remove - use PVE::RESTHandler; use base qw(PVE::RESTHandler); @@ -21,7 +19,7 @@ my $extract_user_data = sub { my $res = {}; - foreach my $prop (qw(enable expire firstname lastname email comment)) { + foreach my $prop (qw(enable expire firstname lastname email comment keys)) { $res->{$prop} = $data->{$prop} if defined($data->{$prop}); } @@ -37,7 +35,10 @@ __PACKAGE__->register_method ({ path => '', method => 'GET', description => "User index.", - permissions => { user => 'all' }, + permissions => { + description => "The returned list is restricted to users where you have 'User.Modify' or 'Sys.Audit' permissions on '/access/groups' or on a group the user belongs too. But it always includes the current (authenticated) user.", + user => 'all', + }, parameters => { additionalProperties => 0, properties => { @@ -67,10 +68,9 @@ __PACKAGE__->register_method ({ my $res = []; - my $privs = [ 'Sys.UserMod', 'Sys.UserAdd' ]; - - my $canUserMod = $rpcenv->check_any($authuser, "/access", $privs, 1); - my $groups = $rpcenv->filter_groups($authuser, sub { return "/access/groups/" . shift; }, $privs, 1); + my $privs = [ 'User.Modify', 'Sys.Audit' ]; + my $canUserMod = $rpcenv->check_any($authuser, "/access/groups", $privs, 1); + my $groups = $rpcenv->filter_groups($authuser, $privs, 1); my $allowed_users = $rpcenv->group_member_join([keys %$groups]); foreach my $user (keys %{$usercfg->{users}}) { @@ -98,6 +98,13 @@ __PACKAGE__->register_method ({ protected => 1, path => '', method => 'POST', + permissions => { + description => "You need 'Realm.AllocateUser' on '/access/realm/' on the realm of user , and 'User.Modify' permissions to '/access/groups/' for any group specified (or 'User.Modify' on '/access/groups' if you pass no groups.", + check => [ 'and', + [ 'userid-param', 'Realm.AllocateUser'], + [ 'userid-group', ['User.Modify'], groups_param => 1], + ], + }, description => "Create new user.", parameters => { additionalProperties => 0, @@ -110,11 +117,20 @@ __PACKAGE__->register_method ({ minLength => 5, maxLength => 64 }, - groups => { type => 'string', optional => 1, format => 'pve-groupid-list'}, + groups => { + type => 'string', format => 'pve-groupid-list', + optional => 1, + completion => \&PVE::AccessControl::complete_group, + }, firstname => { type => 'string', optional => 1 }, lastname => { type => 'string', optional => 1 }, email => { type => 'string', optional => 1, format => 'email-opt' }, comment => { type => 'string', optional => 1 }, + keys => { + description => "Keys for two factor auth (yubico).", + type => 'string', + optional => 1, + }, expire => { description => "Account expiration date (seconds since epoch). '0' means no expiration date.", type => 'integer', @@ -164,6 +180,7 @@ __PACKAGE__->register_method ({ $usercfg->{users}->{$username}->{lastname} = $param->{lastname} if $param->{lastname}; $usercfg->{users}->{$username}->{email} = $param->{email} if $param->{email}; $usercfg->{users}->{$username}->{comment} = $param->{comment} if $param->{comment}; + $usercfg->{users}->{$username}->{keys} = $param->{keys} if $param->{keys}; cfs_write_file("user.cfg", $usercfg); }, "create user failed"); @@ -176,6 +193,9 @@ __PACKAGE__->register_method ({ path => '{userid}', method => 'GET', description => "Get user configuration.", + permissions => { + check => ['userid-group', ['User.Modify', 'Sys.Audit']], + }, parameters => { additionalProperties => 0, properties => { @@ -191,6 +211,7 @@ __PACKAGE__->register_method ({ lastname => { type => 'string', optional => 1 }, email => { type => 'string', optional => 1 }, comment => { type => 'string', optional => 1 }, + keys => { type => 'string', optional => 1 }, groups => { type => 'array' }, } }, @@ -212,12 +233,21 @@ __PACKAGE__->register_method ({ protected => 1, path => '{userid}', method => 'PUT', + permissions => { + check => ['userid-group', ['User.Modify'], groups_param => 1 ], + }, description => "Update user configuration.", parameters => { additionalProperties => 0, properties => { - userid => get_standard_option('userid'), - groups => { type => 'string', optional => 1, format => 'pve-groupid-list' }, + userid => get_standard_option('userid', { + completion => \&PVE::AccessControl::complete_username, + }), + groups => { + type => 'string', format => 'pve-groupid-list', + optional => 1, + completion => \&PVE::AccessControl::complete_group, + }, append => { type => 'boolean', optional => 1, @@ -232,6 +262,11 @@ __PACKAGE__->register_method ({ lastname => { type => 'string', optional => 1 }, email => { type => 'string', optional => 1, format => 'email-opt' }, comment => { type => 'string', optional => 1 }, + keys => { + description => "Keys for two factor auth (yubico).", + type => 'string', + optional => 1, + }, expire => { description => "Account expiration date (seconds since epoch). '0' means no expiration date.", type => 'integer', @@ -275,6 +310,7 @@ __PACKAGE__->register_method ({ $usercfg->{users}->{$username}->{lastname} = $param->{lastname} if defined($param->{lastname}); $usercfg->{users}->{$username}->{email} = $param->{email} if defined($param->{email}); $usercfg->{users}->{$username}->{comment} = $param->{comment} if defined($param->{comment}); + $usercfg->{users}->{$username}->{keys} = $param->{keys} if defined($param->{keys}); cfs_write_file("user.cfg", $usercfg); }, "update user failed"); @@ -288,11 +324,18 @@ __PACKAGE__->register_method ({ path => '{userid}', method => 'DELETE', description => "Delete user.", - permissions => { user => 'all' }, + permissions => { + check => [ 'and', + [ 'userid-param', 'Realm.AllocateUser'], + [ 'userid-group', ['User.Modify']], + ], + }, parameters => { additionalProperties => 0, properties => { - userid => get_standard_option('userid'), + userid => get_standard_option('userid', { + completion => \&PVE::AccessControl::complete_username, + }), } }, returns => { type => 'null' }, @@ -310,18 +353,13 @@ __PACKAGE__->register_method ({ my $usercfg = cfs_read_file("user.cfg"); - PVE::AccessControl::check_user_exist($usercfg, $userid); - - my $privs = [ 'Sys.UserAdd' ]; # there is no Sys.UserDel - if (!$rpcenv->check($authuser, "/access", $privs, 1)) { - my $groups = $rpcenv->filter_groups($authuser, sub { return "/access/groups/" . shift; }, $privs, 1); - my $allowed_users = $rpcenv->group_member_join([keys %$groups]); - raise_perm_exc() if !$allowed_users->{$userid}; + my $domain_cfg = cfs_read_file('domains.cfg'); + if (my $cfg = $domain_cfg->{ids}->{$realm}) { + my $plugin = PVE::Auth::Plugin->lookup($cfg->{type}); + $plugin->delete_user($cfg, $realm, $ruid); } - delete ($usercfg->{users}->{$userid}); - - PVE::AccessControl::delete_shadow_password($ruid) if $realm eq 'pve'; + delete $usercfg->{users}->{$userid}; PVE::AccessControl::delete_user_group($userid, $usercfg); PVE::AccessControl::delete_user_acl($userid, $usercfg);