Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
method => 'POST',
permissions => {
description => "You need 'Realm.AllocateUser' on '/access/realm/<realm>' on the realm of user <userid>, and 'User.Modify' permissions to '/access/groups/<group>' for any group specified (or 'User.Modify' on '/access/groups' if you pass no groups.",
method => 'POST',
permissions => {
description => "You need 'Realm.AllocateUser' on '/access/realm/<realm>' on the realm of user <userid>, and 'User.Modify' permissions to '/access/groups/<group>' for any group specified (or 'User.Modify' on '/access/groups' if you pass no groups.",
- check => [ 'and',
- [ 'userid-param', 'Realm.AllocateUser'],
- [ 'userid-group', ['User.Modify'], groups_param => 1],
- ],
+ check => [
+ 'and',
+ [ 'userid-param', 'Realm.AllocateUser'],
+ [ 'userid-group', ['User.Modify'], groups_param => 1],
+ ],
},
description => "Create new user.",
parameters => {
},
description => "Create new user.",
parameters => {
code => sub {
my ($param) = @_;
code => sub {
my ($param) = @_;
- my ($username, undef, $domain) =
- PVE::AccessControl::verify_username($param->{userid});
+ my ($username, undef, $domain) = PVE::AccessControl::verify_username($param->{userid});
my $usercfg = cfs_read_file("user.cfg");
my $usercfg = cfs_read_file("user.cfg");
code => sub {
my ($param) = @_;
code => sub {
my ($param) = @_;
- my ($username, $ruid, $realm) =
- PVE::AccessControl::verify_username($param->{userid});
-
- PVE::AccessControl::lock_user_config(
- sub {
+ my ($username, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid});
- my $usercfg = cfs_read_file("user.cfg");
-
- PVE::AccessControl::check_user_exist($usercfg, $username);
+ PVE::AccessControl::lock_user_config(sub {
+ my $usercfg = cfs_read_file("user.cfg");
- $usercfg->{users}->{$username}->{enable} = $param->{enable} if defined($param->{enable});
+ PVE::AccessControl::check_user_exist($usercfg, $username);
- $usercfg->{users}->{$username}->{expire} = $param->{expire} if defined($param->{expire});
+ $usercfg->{users}->{$username}->{enable} = $param->{enable} if defined($param->{enable});
+ $usercfg->{users}->{$username}->{expire} = $param->{expire} if defined($param->{expire});
- PVE::AccessControl::delete_user_group($username, $usercfg)
- if (!$param->{append} && defined($param->{groups}));
+ PVE::AccessControl::delete_user_group($username, $usercfg)
+ if (!$param->{append} && defined($param->{groups}));
- if ($param->{groups}) {
- foreach my $group (split_list($param->{groups})) {
- if ($usercfg->{groups}->{$group}) {
- PVE::AccessControl::add_user_group($username, $usercfg, $group);
- } else {
- die "no such group '$group'\n";
- }
+ if ($param->{groups}) {
+ foreach my $group (split_list($param->{groups})) {
+ if ($usercfg->{groups}->{$group}) {
+ PVE::AccessControl::add_user_group($username, $usercfg, $group);
+ } else {
+ die "no such group '$group'\n";
- $usercfg->{users}->{$username}->{firstname} = $param->{firstname} if defined($param->{firstname});
- $usercfg->{users}->{$username}->{lastname} = $param->{lastname} if defined($param->{lastname});
- $usercfg->{users}->{$username}->{email} = $param->{email} if defined($param->{email});
- $usercfg->{users}->{$username}->{comment} = $param->{comment} if defined($param->{comment});
- $usercfg->{users}->{$username}->{keys} = $param->{keys} if defined($param->{keys});
+ $usercfg->{users}->{$username}->{firstname} = $param->{firstname} if defined($param->{firstname});
+ $usercfg->{users}->{$username}->{lastname} = $param->{lastname} if defined($param->{lastname});
+ $usercfg->{users}->{$username}->{email} = $param->{email} if defined($param->{email});
+ $usercfg->{users}->{$username}->{comment} = $param->{comment} if defined($param->{comment});
+ $usercfg->{users}->{$username}->{keys} = $param->{keys} if defined($param->{keys});
- cfs_write_file("user.cfg", $usercfg);
- }, "update user failed");
+ cfs_write_file("user.cfg", $usercfg);
+ }, "update user failed");
description => "Delete user.",
permissions => {
check => [ 'and',
description => "Delete user.",
permissions => {
check => [ 'and',
- [ 'userid-param', 'Realm.AllocateUser'],
- [ 'userid-group', ['User.Modify']],
- ],
+ [ 'userid-param', 'Realm.AllocateUser'],
+ [ 'userid-group', ['User.Modify']],
+ ],
},
parameters => {
additionalProperties => 0,
},
parameters => {
additionalProperties => 0,
my $rpcenv = PVE::RPCEnvironment::get();
my $authuser = $rpcenv->get_user();
my $rpcenv = PVE::RPCEnvironment::get();
my $authuser = $rpcenv->get_user();
- my ($userid, $ruid, $realm) =
- PVE::AccessControl::verify_username($param->{userid});
+ my ($userid, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid});
- PVE::AccessControl::lock_user_config(
- sub {
-
- my $usercfg = cfs_read_file("user.cfg");
+ PVE::AccessControl::lock_user_config(sub {
+ my $usercfg = cfs_read_file("user.cfg");
- my $domain_cfg = cfs_read_file('domains.cfg');
- if (my $cfg = $domain_cfg->{ids}->{$realm}) {
- my $plugin = PVE::Auth::Plugin->lookup($cfg->{type});
- $plugin->delete_user($cfg, $realm, $ruid);
- }
+ my $domain_cfg = cfs_read_file('domains.cfg');
+ if (my $cfg = $domain_cfg->{ids}->{$realm}) {
+ my $plugin = PVE::Auth::Plugin->lookup($cfg->{type});
+ $plugin->delete_user($cfg, $realm, $ruid);
+ }
- # Remove TFA data before removing the user entry as the user entry tells us whether
- # we need ot update priv/tfa.cfg.
- PVE::AccessControl::user_set_tfa($userid, $realm, undef, undef, $usercfg, $domain_cfg);
+ # Remove TFA data before removing the user entry as the user entry tells us whether
+ # we need ot update priv/tfa.cfg.
+ PVE::AccessControl::user_set_tfa($userid, $realm, undef, undef, $usercfg, $domain_cfg);
- delete $usercfg->{users}->{$userid};
+ delete $usercfg->{users}->{$userid};
- PVE::AccessControl::delete_user_group($userid, $usercfg);
- PVE::AccessControl::delete_user_acl($userid, $usercfg);
- cfs_write_file("user.cfg", $usercfg);
- }, "delete user failed");
+ PVE::AccessControl::delete_user_group($userid, $usercfg);
+ PVE::AccessControl::delete_user_acl($userid, $usercfg);
+ cfs_write_file("user.cfg", $usercfg);
+ }, "delete user failed");
my ($username, undef, $realm) = PVE::AccessControl::verify_username($param->{userid});
my ($username, undef, $realm) = PVE::AccessControl::verify_username($param->{userid});
my $domain_cfg = cfs_read_file('domains.cfg');
my $realm_cfg = $domain_cfg->{ids}->{$realm};
die "auth domain '$realm' does not exist\n" if !$realm_cfg;
my $realm_tfa = {};
my $domain_cfg = cfs_read_file('domains.cfg');
my $realm_cfg = $domain_cfg->{ids}->{$realm};
die "auth domain '$realm' does not exist\n" if !$realm_cfg;
my $realm_tfa = {};
- $realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_cfg->{tfa})
- if $realm_cfg->{tfa};
+ $realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_cfg->{tfa}) if $realm_cfg->{tfa};
my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
my $tfa = $tfa_cfg->{users}->{$username};
my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
my $tfa = $tfa_cfg->{users}->{$username};
method => 'GET',
description => "Get user API tokens.",
permissions => {
method => 'GET',
description => "Get user API tokens.",
permissions => {
- check => ['or',
- ['userid-param', 'self'],
- ['perm', '/access/users/{userid}', ['User.Modify']],
+ check => [
+ 'or',
+ ['userid-param', 'self'],
+ ['perm', '/access/users/{userid}', ['User.Modify']],
method => 'GET',
description => "Get specific API token information.",
permissions => {
method => 'GET',
description => "Get specific API token information.",
permissions => {
- check => ['or',
- ['userid-param', 'self'],
- ['perm', '/access/users/{userid}', ['User.Modify']],
+ check => [
+ 'or',
+ ['userid-param', 'self'],
+ ['perm', '/access/users/{userid}', ['User.Modify']],
description => "Generate a new API token for a specific user. NOTE: returns API token value, which needs to be stored as it cannot be retrieved afterwards!",
protected => 1,
permissions => {
description => "Generate a new API token for a specific user. NOTE: returns API token value, which needs to be stored as it cannot be retrieved afterwards!",
protected => 1,
permissions => {
- check => ['or',
- ['userid-param', 'self'],
- ['perm', '/access/users/{userid}', ['User.Modify']],
+ check => [
+ 'or',
+ ['userid-param', 'self'],
+ ['perm', '/access/users/{userid}', ['User.Modify']],
description => "Update API token for a specific user.",
protected => 1,
permissions => {
description => "Update API token for a specific user.",
protected => 1,
permissions => {
- check => ['or',
- ['userid-param', 'self'],
- ['perm', '/access/users/{userid}', ['User.Modify']],
+ check => [
+ 'or',
+ ['userid-param', 'self'],
+ ['perm', '/access/users/{userid}', ['User.Modify']],
my $usercfg = cfs_read_file("user.cfg");
my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
my $usercfg = cfs_read_file("user.cfg");
my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
- my $update_token = sub {
+ PVE::AccessControl::lock_user_config(sub {
$usercfg = cfs_read_file("user.cfg");
$token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
$usercfg = cfs_read_file("user.cfg");
$token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
$usercfg->{users}->{$userid}->{tokens}->{$tokenid} = $token;
cfs_write_file("user.cfg", $usercfg);
$usercfg->{users}->{$userid}->{tokens}->{$tokenid} = $token;
cfs_write_file("user.cfg", $usercfg);
- };
-
- PVE::AccessControl::lock_user_config($update_token, 'updating token info failed');
+ }, 'updating token info failed');
description => "Remove API token for a specific user.",
protected => 1,
permissions => {
description => "Remove API token for a specific user.",
protected => 1,
permissions => {
- check => ['or',
- ['userid-param', 'self'],
- ['perm', '/access/users/{userid}', ['User.Modify']],
+ check => [
+ 'or',
+ ['userid-param', 'self'],
+ ['perm', '/access/users/{userid}', ['User.Modify']],
my $usercfg = cfs_read_file("user.cfg");
my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
my $usercfg = cfs_read_file("user.cfg");
my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
- my $update_token = sub {
+ PVE::AccessControl::lock_user_config(sub {
$usercfg = cfs_read_file("user.cfg");
PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
$usercfg = cfs_read_file("user.cfg");
PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
delete $usercfg->{users}->{$userid}->{tokens}->{$tokenid};
cfs_write_file("user.cfg", $usercfg);
delete $usercfg->{users}->{$userid}->{tokens}->{$tokenid};
cfs_write_file("user.cfg", $usercfg);
- };
-
- PVE::AccessControl::lock_user_config($update_token, 'deleting token failed');
+ }, 'deleting token failed');
projects / pve-access-control.git / commitdiff