src/api2/access/user.rs: add access permissions

2020-04-17 11:04:36 +02:00
parent d4f020f4c5
commit 4f66423fcc
3 changed files with 18 additions and 6 deletions
--- a/src/api2/access.rs
+++ b/src/api2/access.rs
@ -2,7 +2,7 @@ use failure::*;

 use serde_json::{json, Value};

-use proxmox::api::{api, RpcEnvironment, Permission};
+use proxmox::api::{api, RpcEnvironment, Permission, UserInformation};
 use proxmox::api::router::{Router, SubdirMap};
 use proxmox::{sortable, identity};
 use proxmox::{http_err, list_subdirs_api_method};
@ -11,7 +11,9 @@ use crate::tools;
 use crate::tools::ticket::*;
 use crate::auth_helpers::*;
 use crate::api2::types::*;
+
 use crate::config::cached_user_info::CachedUserInfo;
+use crate::config::acl::PRIV_PERMISSIONS_MODIFY;

 pub mod user;
 pub mod domain;
@ -111,7 +113,7 @@ fn create_ticket(username: String, password: String) -> Result<Value, Error> {
        },
    },
    access: {
-        description: "Anybody is allowed to change there own password. The Superuser may change any password.",
+        description: "Anybody is allowed to change there own password. In addition, users with 'Permissions:Modify' privilege may change any password.",
        permission: &Permission::Anybody,
    },

@ -133,6 +135,14 @@ fn change_password(

    if userid == "root@pam" { allowed = true; }

+    if !allowed {
+        use crate::config::cached_user_info::CachedUserInfo;
+
+        let user_info = CachedUserInfo::new()?;
+        let privs = user_info.lookup_privs(&current_user, &[]);
+        if (privs & PRIV_PERMISSIONS_MODIFY) != 0 { allowed = true; }
+    }
+
    if !allowed {
        bail!("you are not authorized to change the password.");
    }
--- a/src/api2/access/user.rs
+++ b/src/api2/access/user.rs
@ -6,7 +6,7 @@ use proxmox::api::schema::{Schema, StringSchema};

 use crate::api2::types::*;
 use crate::config::user;
-use crate::config::acl::{PRIV_SYS_AUDIT, PRIV_SYS_MODIFY};
+use crate::config::acl::{PRIV_SYS_AUDIT, PRIV_PERMISSIONS_MODIFY};

 pub const PBS_PASSWORD_SCHEMA: Schema = StringSchema::new("User Password.")
    .format(&PASSWORD_FORMAT)
@ -111,7 +111,7 @@ pub fn list_users(
        },
    },
    access: {
-        permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
+        permission: &Permission::Privilege(&[], PRIV_PERMISSIONS_MODIFY, false),
    },
 )]
 /// Create new user.
@ -208,7 +208,7 @@ pub fn read_user(userid: String) -> Result<Value, Error> {
        },
    },
    access: {
-        permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
+        permission: &Permission::Privilege(&[], PRIV_PERMISSIONS_MODIFY, false),
    },
 )]
 /// Update user configuration.
@ -290,7 +290,7 @@ pub fn update_user(
        },
    },
    access: {
-        permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
+        permission: &Permission::Privilege(&[], PRIV_PERMISSIONS_MODIFY, false),
    },
 )]
 /// Remove a user from the configuration file.
--- a/src/config/acl.rs
+++ b/src/config/acl.rs
@ -19,6 +19,8 @@ pub const PRIV_DATASTORE_AUDIT: u64              = 1 << 3;
 pub const PRIV_DATASTORE_ALLOCATE: u64           = 1 << 4;
 pub const PRIV_DATASTORE_ALLOCATE_SPACE: u64     = 1 << 5;

+pub const PRIV_PERMISSIONS_MODIFY: u64           = 1 << 6;
+
 pub const ROLE_ADMIN: u64 = std::u64::MAX;
 pub const ROLE_NO_ACCESS: u64 = 0;