X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=src%2FPVE%2FAPI2%2FTFA.pm;h=fd42d900f72b9c4f1e41b11577d84efff8cfca1d;hp=31e57415169407c9bbc63f47af448c44724c21f1;hb=dc7ef2401a0b099183d4463b23da55fc8d99e961;hpb=dd9e95b18773b97131ab65d76110f1c4489bf9f6

diff --git a/src/PVE/API2/TFA.pm b/src/PVE/API2/TFA.pm
index 31e5741..fd42d90 100644
--- a/src/PVE/API2/TFA.pm
+++ b/src/PVE/API2/TFA.pm
@@ -374,10 +374,24 @@ __PACKAGE__->register_method ({
 
 	my $rpcenv = PVE::RPCEnvironment::get();
 	my $authuser = $rpcenv->get_user();
-	my $top_level_allowed = ($authuser eq 'root@pam');
 
 	my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
-	return $tfa_cfg->api_list_tfa($authuser, $top_level_allowed);
+	my $entries = $tfa_cfg->api_list_tfa($authuser, 1);
+
+	my $privs = [ 'User.Modify', 'Sys.Audit' ];
+	if ($rpcenv->check_any($authuser, "/access/groups", $privs, 1)) {
+	    # can modify all
+	    return $entries;
+	}
+
+	my $groups = $rpcenv->filter_groups($authuser, $privs, 1);
+	my $allowed_users = $rpcenv->group_member_join([keys %$groups]);
+	return [
+	    grep {
+		my $userid = $_->{userid};
+		$userid eq $authuser || $allowed_users->{$userid}
+	    } $entries->@*
+	];
     }});
 
 __PACKAGE__->register_method ({