From 12683df7c4ee7dd10257a35189998ebe2bde5597 Mon Sep 17 00:00:00 2001 From: Dietmar Maurer Date: Mon, 23 Jan 2012 12:14:45 +0100 Subject: [PATCH] use new syntax for permission checks And use better names for user priviledges. --- PVE/API2/AccessControl.pm | 19 +++++++++---------- PVE/API2/User.pm | 15 ++++----------- PVE/AccessControl.pm | 14 ++++++++++++-- 3 files changed, 25 insertions(+), 23 deletions(-) diff --git a/PVE/API2/AccessControl.pm b/PVE/API2/AccessControl.pm index 6046a8a..46b5510 100644 --- a/PVE/API2/AccessControl.pm +++ b/PVE/API2/AccessControl.pm @@ -210,7 +210,13 @@ __PACKAGE__->register_method ({ name => 'change_passsword', path => 'password', method => 'PUT', - permissions => { user => 'all' }, + permissions => { + description => "Each user is allowed to change his own password. A user can change the password of another user if he has modify permission on /access/groups/ on a group where user is member of.", + check => [ 'or', + ['userid-param', 'self'], + ['userid-group', ['User.Modify']], + ], + }, protected => 1, # else we can't access shadow files description => "Change user password.", parameters => { @@ -234,8 +240,7 @@ __PACKAGE__->register_method ({ my ($userid, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid}); - my $usercfg = $rpcenv->{user_cfg}; - PVE::AccessControl::check_user_exist($usercfg, $userid); + $rpcenv->check_user_exist($userid); if ($authuser eq 'root@pam') { # OK - root can change anything @@ -244,14 +249,8 @@ __PACKAGE__->register_method ({ $rpcenv->check_user_enabled($userid); # OK - each user can change its own password } else { + # only root may change root password raise_perm_exc() if $userid eq 'root@pam'; - - my $privs = [ 'Sys.UserMod', 'Sys.UserAdd' ]; - if (!$rpcenv->check_any($authuser, "/access", $privs, 1)) { - my $groups = $rpcenv->filter_groups($authuser, $privs, 1); - my $allowed_users = $rpcenv->group_member_join([keys %$groups]); - raise_perm_exc() if !$allowed_users->{$userid}; - } } } diff --git a/PVE/API2/User.pm b/PVE/API2/User.pm index 5cfb155..6504ab9 100644 --- a/PVE/API2/User.pm +++ b/PVE/API2/User.pm @@ -67,7 +67,7 @@ __PACKAGE__->register_method ({ my $res = []; - my $privs = [ 'Sys.UserMod', 'Sys.UserAdd' ]; + my $privs = [ 'User.Modify', 'User.Delete' ]; my $canUserMod = $rpcenv->check_any($authuser, "/access", $privs, 1); my $groups = $rpcenv->filter_groups($authuser, $privs, 1); @@ -288,7 +288,9 @@ __PACKAGE__->register_method ({ path => '{userid}', method => 'DELETE', description => "Delete user.", - permissions => { user => 'all' }, + permissions => { + check => ['userid-group', ['User.Delete']], + }, parameters => { additionalProperties => 0, properties => { @@ -310,15 +312,6 @@ __PACKAGE__->register_method ({ my $usercfg = cfs_read_file("user.cfg"); - PVE::AccessControl::check_user_exist($usercfg, $userid); - - my $privs = [ 'Sys.UserAdd' ]; # there is no Sys.UserDel - if (!$rpcenv->check($authuser, "/access", $privs, 1)) { - my $groups = $rpcenv->filter_groups($authuser, sub { return "/access/groups/" . shift; }, $privs, 1); - my $allowed_users = $rpcenv->group_member_join([keys %$groups]); - raise_perm_exc() if !$allowed_users->{$userid}; - } - delete ($usercfg->{users}->{$userid}); PVE::AccessControl::delete_shadow_password($ruid) if $realm eq 'pve'; diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm index 72ec12d..310a3f1 100644 --- a/PVE/AccessControl.pm +++ b/PVE/AccessControl.pm @@ -554,12 +554,10 @@ my $privgroups = { root => [ 'Sys.PowerMgmt', 'Sys.Modify', # edit/change node settings - 'Sys.UserAdd', # add/delete users ], admin => [ 'Sys.Console', 'Sys.Syslog', - 'Sys.UserMod', # modify users settings ], user => [], audit => [ @@ -579,6 +577,18 @@ my $privgroups = { 'Datastore.Audit', ], }, + User => { + root => [ + + ], + admin => [ + 'User.Modify', + 'User.Add', + 'User.Delete', + ], + user => [], + audit => [], + }, }; my $valid_privs = {}; -- 2.39.2