return $copy;
}
+my $rules_modify_permissions = sub {
+ my ($rule_env) = @_;
+
+ if ($rule_env eq 'host') {
+ return {
+ check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
+ };
+ } elsif ($rule_env eq 'cluster' || $rule_env eq 'group') {
+ return {
+ check => ['perm', '/', [ 'Sys.Modify' ]],
+ };
+ } elsif ($rule_env eq 'vm' || $rule_env eq 'ct') {
+ return {
+ check => ['perm', '/vms/{vmid}', [ 'VM.Config.Network' ]],
+ }
+ }
+
+ return undef;
+};
+
+my $rules_audit_permissions = sub {
+ my ($rule_env) = @_;
+
+ if ($rule_env eq 'host') {
+ return {
+ check => ['perm', '/nodes/{node}', [ 'Sys.Audit' ]],
+ };
+ } elsif ($rule_env eq 'cluster' || $rule_env eq 'group') {
+ return {
+ check => ['perm', '/', [ 'Sys.Audit' ]],
+ };
+ } elsif ($rule_env eq 'vm' || $rule_env eq 'ct') {
+ return {
+ check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
+ }
+ }
+
+ return undef;
+};
+
sub register_get_rules {
my ($class) = @_;
my $properties = $class->additional_parameters();
+ my $rule_env = $class->rule_env();
+
$class->register_method({
name => 'get_rules',
path => '',
method => 'GET',
description => "List rules.",
+ permissions => &$rules_audit_permissions($rule_env),
parameters => {
additionalProperties => 0,
properties => $properties,
},
- proxyto => $class->rule_env() eq 'host' ? 'node' : undef,
+ proxyto => $rule_env eq 'host' ? 'node' : undef,
returns => {
type => 'array',
items => {
$properties->{pos} = $api_properties->{pos};
+ my $rule_env = $class->rule_env();
+
$class->register_method({
name => 'get_rule',
path => '{pos}',
method => 'GET',
description => "Get single rule data.",
+ permissions => &$rules_audit_permissions($rule_env),
parameters => {
additionalProperties => 0,
properties => $properties,
},
- proxyto => $class->rule_env() eq 'host' ? 'node' : undef,
+ proxyto => $rule_env eq 'host' ? 'node' : undef,
returns => {
type => "object",
properties => {
$create_rule_properties->{action}->{optional} = 0;
$create_rule_properties->{type}->{optional} = 0;
+ my $rule_env = $class->rule_env();
+
$class->register_method({
name => 'create_rule',
path => '',
method => 'POST',
description => "Create new rule.",
protected => 1,
+ permissions => &$rules_modify_permissions($rule_env),
parameters => {
additionalProperties => 0,
properties => $create_rule_properties,
},
- proxyto => $class->rule_env() eq 'host' ? 'node' : undef,
+ proxyto => $rule_env eq 'host' ? 'node' : undef,
returns => { type => "null" },
code => sub {
my ($param) = @_;
$properties->{pos} = $api_properties->{pos};
+ my $rule_env = $class->rule_env();
+
$properties->{moveto} = {
description => "Move rule to new position <moveto>. Other arguments are ignored.",
type => 'integer',
method => 'PUT',
description => "Modify rule data.",
protected => 1,
+ permissions => &$rules_modify_permissions($rule_env),
parameters => {
additionalProperties => 0,
properties => $update_rule_properties,
},
- proxyto => $class->rule_env() eq 'host' ? 'node' : undef,
+ proxyto => $rule_env eq 'host' ? 'node' : undef,
returns => { type => "null" },
code => sub {
my ($param) = @_;
$properties->{digest} = get_standard_option('pve-config-digest');
+ my $rule_env = $class->rule_env();
+
$class->register_method({
name => 'delete_rule',
path => '{pos}',
method => 'DELETE',
description => "Delete rule.",
protected => 1,
+ permissions => &$rules_modify_permissions($rule_env),
parameters => {
additionalProperties => 0,
properties => $properties,
},
- proxyto => $class->rule_env() eq 'host' ? 'node' : undef,
+ proxyto => $rule_env eq 'host' ? 'node' : undef,
returns => { type => "null" },
code => sub {
my ($param) = @_;
projects / pve-firewall.git / blobdiff