tfa list: account for admin permissions

instead of restricting listing tfa entries of others to
root@pam, perform the same checks the user-list does and
which also reflect the permissions of the api calls actually
operating on those users, so, `User.Modify` on the user (but
also `Sys.Audit`, since it's only a read-operation, just
like the user index API call)

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

diff --git a/src/PVE/API2/TFA.pm b/src/PVE/API2/TFA.pm
index 31e57415169407c9bbc63f47af448c44724c21f1..fd42d900f72b9c4f1e41b11577d84efff8cfca1d 100644 (file)
--- a/src/PVE/API2/TFA.pm
+++ b/src/PVE/API2/TFA.pm
@@ -374,10 +374,24 @@ __PACKAGE__->register_method ({
 
        my $rpcenv = PVE::RPCEnvironment::get();
        my $authuser = $rpcenv->get_user();
-       my $top_level_allowed = ($authuser eq 'root@pam');
 
        my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
-       return $tfa_cfg->api_list_tfa($authuser, $top_level_allowed);
+       my $entries = $tfa_cfg->api_list_tfa($authuser, 1);
+
+       my $privs = [ 'User.Modify', 'Sys.Audit' ];
+       if ($rpcenv->check_any($authuser, "/access/groups", $privs, 1)) {
+           # can modify all
+           return $entries;
+       }
+
+       my $groups = $rpcenv->filter_groups($authuser, $privs, 1);
+       my $allowed_users = $rpcenv->group_member_join([keys %$groups]);
+       return [
+           grep {
+               my $userid = $_->{userid};
+               $userid eq $authuser || $allowed_users->{$userid}
+           } $entries->@*
+       ];
     }});
 
 __PACKAGE__->register_method ({