method => 'GET',
description => "Get Access Control List (ACLs).",
permissions => {
- check => ['perm', '/access', ['Sys.Audit', 'Permissions.Modify'], any => 1],
+ user => 'all',
},
parameters => {
additionalProperties => 0,
code => sub {
my ($param) = @_;
+ my $rpcenv = PVE::RPCEnvironment::get();
+ my $authuser = $rpcenv->get_user();
my $res = [];
- my $usercfg = cfs_read_file("user.cfg");
-
+ my $usercfg = $rpcenv->{user_cfg};
if (!$usercfg || !$usercfg->{acl}) {
return {};
}
+ my $audit = $rpcenv->check($authuser, '/access', ['Sys.Audit'], 1);
+
my $acl = $usercfg->{acl};
foreach my $path (keys %$acl) {
foreach my $type (qw(users groups)) {
my $d = $acl->{$path}->{$type};
next if !$d;
+ next if !($audit || $rpcenv->check_perm_modify($authuser, $path, 1));
foreach my $id (keys %$d) {
foreach my $role (keys %{$d->{$id}}) {
my $propagate = $d->{$id}->{$role};
path => '',
method => 'PUT',
permissions => {
- check => ['perm', '/access', ['Permissions.Modify']],
+ check => ['perm-modify', '{path}'],
},
description => "Update Access Control List (add or remove permissions).",
parameters => {
return $users;
}
+sub check_perm_modify {
+ my ($self, $username, $path, $noerr) = @_;
+
+ return $self->check($username, '/access', [ 'Permissions.Modify' ], $noerr) if !$path;
+
+ my $testperms = [ 'Permissions.Modify' ];
+ if ($path =~ m|^/storage/.+$|) {
+ push @$testperms, 'Datastore.Allocate';
+ } elsif ($path =~ m|^/vms/.+$|) {
+ push @$testperms, 'VM.Allocate';
+ }
+
+ return $self->check_any($username, $path, $testperms, $noerr);
+}
+
sub exec_api2_perm_check {
my ($self, $check, $username, $param, $noerr) = @_;
my $any = $options{any};
die "missing parameters" if !($tmplpath && $privs);
my $path = PVE::Tools::template_replace($tmplpath, $param);
+ $path = PVE::AccessControl::normalize_path($path);
if ($any) {
return $self->check_any($username, $path, $privs, $noerr);
} else {
} else {
die "unknown userid-param test";
}
- } else {
+ } elsif ($test eq 'perm-modify') {
+ my ($t, $tmplpath) = @$check;
+ my $path = PVE::Tools::template_replace($tmplpath, $param);
+ $path = PVE::AccessControl::normalize_path($path);
+ return $self->check_perm_modify($username, $path, $noerr);
+ } else {
die "unknown permission test";
}
};