path => '',
method => 'GET',
description => "Get Access Control List (ACLs).",
+ permissions => {
+ check => ['perm', '/access', ['Sys.Audit', 'Permissions.Modify'], any => 1],
+ },
parameters => {
additionalProperties => 0,
properties => {},
protected => 1,
path => '',
method => 'PUT',
+ permissions => {
+ check => ['perm', '/access', ['Permissions.Modify']],
+ },
description => "Update Access Control List (add or remove permissions).",
parameters => {
additionalProperties => 0,
name => 'create_ticket',
path => 'ticket',
method => 'POST',
- permissions => { user => 'world' },
+ permissions => {
+ description => "You need to pass valid credientials.",
+ user => 'world'
+ },
protected => 1, # else we can't access shadow files
description => "Create or verify authentication ticket.",
parameters => {
use PVE::JSONSchema qw(get_standard_option);
use PVE::SafeSyslog;
-
-use Data::Dumper; # fixme: remove
-
use PVE::RESTHandler;
my $domainconfigfile = "domains.cfg";
protected => 1,
path => '',
method => 'POST',
+ permissions => {
+ check => ['perm', '/access', ['Sys.Modify']],
+ },
description => "Add an authentication server.",
parameters => {
additionalProperties => 0,
name => 'update',
path => '{realm}',
method => 'PUT',
+ permissions => {
+ check => ['perm', '/access', ['Sys.Modify']],
+ },
description => "Update authentication server settings.",
protected => 1,
parameters => {
path => '{realm}',
method => 'GET',
description => "Get auth server configuration.",
+ permissions => {
+ check => ['perm', '/access', ['Sys.Audit']],
+ },
parameters => {
additionalProperties => 0,
properties => {
name => 'delete',
path => '{realm}',
method => 'DELETE',
+ permissions => {
+ check => ['perm', '/access', ['Sys.Modify']],
+ },
description => "Delete an authentication server.",
protected => 1,
parameters => {
path => '',
method => 'GET',
description => "Group index.",
+ permissions => {
+ description => "The returned list is restricted to groups where you have 'User.Add' or 'Sys.Audit' permissions on '/access', or 'User.Add' on /access/groups/<group>.",
+ user => 'all',
+ },
parameters => {
additionalProperties => 0,
properties => {},
my $res = [];
+ my $rpcenv = PVE::RPCEnvironment::get();
my $usercfg = cfs_read_file("user.cfg");
+ my $authuser = $rpcenv->get_user();
+
+ my $privs = [ 'User.Add', 'Sys.Audit' ];
+ my $allow = $rpcenv->check_any($authuser, "/access", $privs, 1);
+ my $allowed_groups = $rpcenv->filter_groups($authuser, $privs, 1);
foreach my $group (keys %{$usercfg->{groups}}) {
+ next if !($allow || $allowed_groups->{$group});
my $entry = &$extract_group_data($usercfg->{groups}->{$group});
$entry->{groupid} = $group;
push @$res, $entry;
protected => 1,
path => '',
method => 'POST',
+ permissions => {
+ check => ['perm', '/access', ['Sys.Modify']],
+ },
description => "Create new group.",
parameters => {
additionalProperties => 0,
protected => 1,
path => '{groupid}',
method => 'PUT',
+ permissions => {
+ check => ['perm', '/access', ['Sys.Modify']],
+ },
description => "Update group data.",
parameters => {
additionalProperties => 0,
name => 'read_group',
path => '{groupid}',
method => 'GET',
+ permissions => {
+ check => ['perm', '/access', ['Sys.Audit']],
+ },
description => "Get group configuration.",
parameters => {
additionalProperties => 0,
protected => 1,
path => '{groupid}',
method => 'DELETE',
+ permissions => {
+ check => ['perm', '/access', ['Sys.Modify']],
+ },
description => "Delete group.",
parameters => {
additionalProperties => 0,
path => '',
method => 'GET',
description => "Role index.",
+ permissions => {
+ check => ['perm', '/access', ['Sys.Audit']],
+ },
parameters => {
additionalProperties => 0,
properties => {},
protected => 1,
path => '',
method => 'POST',
+ permissions => {
+ check => ['perm', '/access', ['Sys.Modify']],
+ },
description => "Create new role.",
parameters => {
additionalProperties => 0,
protected => 1,
path => '{roleid}',
method => 'PUT',
+ permissions => {
+ check => ['perm', '/access', ['Sys.Modify']],
+ },
description => "Create new role.",
parameters => {
additionalProperties => 0,
name => 'read_role',
path => '{roleid}',
method => 'GET',
+ permissions => {
+ check => ['perm', '/access', ['Sys.Audit']],
+ },
description => "Get role configuration.",
parameters => {
additionalProperties => 0,
protected => 1,
path => '{roleid}',
method => 'DELETE',
+ permissions => {
+ check => ['perm', '/access', ['Sys.Modify']],
+ },
description => "Delete role.",
parameters => {
additionalProperties => 0,
path => '',
method => 'GET',
description => "User index.",
- permissions => { user => 'all' },
+ permissions => {
+ description => "The returned list is restricted to users where you have 'User.Modify' or 'User.Delete' permissions on '/access' or on a group the user belongs too. But it always includes the current (authenticated) user.",
+ user => 'all',
+ },
parameters => {
additionalProperties => 0,
properties => {
protected => 1,
path => '',
method => 'POST',
+ permissions => {
+ description => "You need 'User.Add' permissions to '/access/groups/<group>' for any group specified, or 'User.Add' on '/access' if you pass no groups.",
+ check => ['userid-group', ['User.Add'], groups_param => 1],
+ },
description => "Create new user.",
parameters => {
additionalProperties => 0,
path => '{userid}',
method => 'GET',
description => "Get user configuration.",
+ permissions => {
+ check => ['userid-group', ['User.Modify']],
+ },
parameters => {
additionalProperties => 0,
properties => {
protected => 1,
path => '{userid}',
method => 'PUT',
+ permissions => {
+ check => ['userid-group', ['User.Modify'], groups_param => 1 ],
+ },
description => "Update user configuration.",
parameters => {
additionalProperties => 0,