From: Dietmar Maurer Date: Tue, 24 Jan 2012 10:50:41 +0000 (+0100) Subject: fix access control X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=commitdiff_plain;h=9691923469709bd3f5660748e17a6036ad80faaa fix access control --- diff --git a/PVE/API2/ACL.pm b/PVE/API2/ACL.pm index f122542..66f4129 100644 --- a/PVE/API2/ACL.pm +++ b/PVE/API2/ACL.pm @@ -20,6 +20,9 @@ __PACKAGE__->register_method ({ path => '', method => 'GET', description => "Get Access Control List (ACLs).", + permissions => { + check => ['perm', '/access', ['Sys.Audit', 'Permissions.Modify'], any => 1], + }, parameters => { additionalProperties => 0, properties => {}, @@ -77,6 +80,9 @@ __PACKAGE__->register_method ({ protected => 1, path => '', method => 'PUT', + permissions => { + check => ['perm', '/access', ['Permissions.Modify']], + }, description => "Update Access Control List (add or remove permissions).", parameters => { additionalProperties => 0, diff --git a/PVE/API2/AccessControl.pm b/PVE/API2/AccessControl.pm index 46b5510..a407648 100644 --- a/PVE/API2/AccessControl.pm +++ b/PVE/API2/AccessControl.pm @@ -132,7 +132,10 @@ __PACKAGE__->register_method ({ name => 'create_ticket', path => 'ticket', method => 'POST', - permissions => { user => 'world' }, + permissions => { + description => "You need to pass valid credientials.", + user => 'world' + }, protected => 1, # else we can't access shadow files description => "Create or verify authentication ticket.", parameters => { diff --git a/PVE/API2/Domains.pm b/PVE/API2/Domains.pm index c79e44e..8ffd217 100644 --- a/PVE/API2/Domains.pm +++ b/PVE/API2/Domains.pm @@ -7,9 +7,6 @@ use PVE::AccessControl; use PVE::JSONSchema qw(get_standard_option); use PVE::SafeSyslog; - -use Data::Dumper; # fixme: remove - use PVE::RESTHandler; my $domainconfigfile = "domains.cfg"; @@ -60,6 +57,9 @@ __PACKAGE__->register_method ({ protected => 1, path => '', method => 'POST', + permissions => { + check => ['perm', '/access', ['Sys.Modify']], + }, description => "Add an authentication server.", parameters => { additionalProperties => 0, @@ -167,6 +167,9 @@ __PACKAGE__->register_method ({ name => 'update', path => '{realm}', method => 'PUT', + permissions => { + check => ['perm', '/access', ['Sys.Modify']], + }, description => "Update authentication server settings.", protected => 1, parameters => { @@ -269,6 +272,9 @@ __PACKAGE__->register_method ({ path => '{realm}', method => 'GET', description => "Get auth server configuration.", + permissions => { + check => ['perm', '/access', ['Sys.Audit']], + }, parameters => { additionalProperties => 0, properties => { @@ -294,6 +300,9 @@ __PACKAGE__->register_method ({ name => 'delete', path => '{realm}', method => 'DELETE', + permissions => { + check => ['perm', '/access', ['Sys.Modify']], + }, description => "Delete an authentication server.", protected => 1, parameters => { diff --git a/PVE/API2/Group.pm b/PVE/API2/Group.pm index 3a80225..435e019 100644 --- a/PVE/API2/Group.pm +++ b/PVE/API2/Group.pm @@ -33,6 +33,10 @@ __PACKAGE__->register_method ({ path => '', method => 'GET', description => "Group index.", + permissions => { + description => "The returned list is restricted to groups where you have 'User.Add' or 'Sys.Audit' permissions on '/access', or 'User.Add' on /access/groups/.", + user => 'all', + }, parameters => { additionalProperties => 0, properties => {}, @@ -52,9 +56,16 @@ __PACKAGE__->register_method ({ my $res = []; + my $rpcenv = PVE::RPCEnvironment::get(); my $usercfg = cfs_read_file("user.cfg"); + my $authuser = $rpcenv->get_user(); + + my $privs = [ 'User.Add', 'Sys.Audit' ]; + my $allow = $rpcenv->check_any($authuser, "/access", $privs, 1); + my $allowed_groups = $rpcenv->filter_groups($authuser, $privs, 1); foreach my $group (keys %{$usercfg->{groups}}) { + next if !($allow || $allowed_groups->{$group}); my $entry = &$extract_group_data($usercfg->{groups}->{$group}); $entry->{groupid} = $group; push @$res, $entry; @@ -68,6 +79,9 @@ __PACKAGE__->register_method ({ protected => 1, path => '', method => 'POST', + permissions => { + check => ['perm', '/access', ['Sys.Modify']], + }, description => "Create new group.", parameters => { additionalProperties => 0, @@ -106,6 +120,9 @@ __PACKAGE__->register_method ({ protected => 1, path => '{groupid}', method => 'PUT', + permissions => { + check => ['perm', '/access', ['Sys.Modify']], + }, description => "Update group data.", parameters => { additionalProperties => 0, @@ -144,6 +161,9 @@ __PACKAGE__->register_method ({ name => 'read_group', path => '{groupid}', method => 'GET', + permissions => { + check => ['perm', '/access', ['Sys.Audit']], + }, description => "Get group configuration.", parameters => { additionalProperties => 0, @@ -172,6 +192,9 @@ __PACKAGE__->register_method ({ protected => 1, path => '{groupid}', method => 'DELETE', + permissions => { + check => ['perm', '/access', ['Sys.Modify']], + }, description => "Delete group.", parameters => { additionalProperties => 0, diff --git a/PVE/API2/Role.pm b/PVE/API2/Role.pm index 396ba48..509938c 100644 --- a/PVE/API2/Role.pm +++ b/PVE/API2/Role.pm @@ -18,6 +18,9 @@ __PACKAGE__->register_method ({ path => '', method => 'GET', description => "Role index.", + permissions => { + check => ['perm', '/access', ['Sys.Audit']], + }, parameters => { additionalProperties => 0, properties => {}, @@ -52,6 +55,9 @@ __PACKAGE__->register_method ({ protected => 1, path => '', method => 'POST', + permissions => { + check => ['perm', '/access', ['Sys.Modify']], + }, description => "Create new role.", parameters => { additionalProperties => 0, @@ -89,6 +95,9 @@ __PACKAGE__->register_method ({ protected => 1, path => '{roleid}', method => 'PUT', + permissions => { + check => ['perm', '/access', ['Sys.Modify']], + }, description => "Create new role.", parameters => { additionalProperties => 0, @@ -131,6 +140,9 @@ __PACKAGE__->register_method ({ name => 'read_role', path => '{roleid}', method => 'GET', + permissions => { + check => ['perm', '/access', ['Sys.Audit']], + }, description => "Get role configuration.", parameters => { additionalProperties => 0, @@ -159,6 +171,9 @@ __PACKAGE__->register_method ({ protected => 1, path => '{roleid}', method => 'DELETE', + permissions => { + check => ['perm', '/access', ['Sys.Modify']], + }, description => "Delete role.", parameters => { additionalProperties => 0, diff --git a/PVE/API2/User.pm b/PVE/API2/User.pm index 6504ab9..aa88dfd 100644 --- a/PVE/API2/User.pm +++ b/PVE/API2/User.pm @@ -37,7 +37,10 @@ __PACKAGE__->register_method ({ path => '', method => 'GET', description => "User index.", - permissions => { user => 'all' }, + permissions => { + description => "The returned list is restricted to users where you have 'User.Modify' or 'User.Delete' permissions on '/access' or on a group the user belongs too. But it always includes the current (authenticated) user.", + user => 'all', + }, parameters => { additionalProperties => 0, properties => { @@ -98,6 +101,10 @@ __PACKAGE__->register_method ({ protected => 1, path => '', method => 'POST', + permissions => { + description => "You need 'User.Add' permissions to '/access/groups/' for any group specified, or 'User.Add' on '/access' if you pass no groups.", + check => ['userid-group', ['User.Add'], groups_param => 1], + }, description => "Create new user.", parameters => { additionalProperties => 0, @@ -176,6 +183,9 @@ __PACKAGE__->register_method ({ path => '{userid}', method => 'GET', description => "Get user configuration.", + permissions => { + check => ['userid-group', ['User.Modify']], + }, parameters => { additionalProperties => 0, properties => { @@ -212,6 +222,9 @@ __PACKAGE__->register_method ({ protected => 1, path => '{userid}', method => 'PUT', + permissions => { + check => ['userid-group', ['User.Modify'], groups_param => 1 ], + }, description => "Update user configuration.", parameters => { additionalProperties => 0,