src/api2/access/user.rs: add access permissions
This commit is contained in:
parent
d4f020f4c5
commit
4f66423fcc
|
@ -2,7 +2,7 @@ use failure::*;
|
||||||
|
|
||||||
use serde_json::{json, Value};
|
use serde_json::{json, Value};
|
||||||
|
|
||||||
use proxmox::api::{api, RpcEnvironment, Permission};
|
use proxmox::api::{api, RpcEnvironment, Permission, UserInformation};
|
||||||
use proxmox::api::router::{Router, SubdirMap};
|
use proxmox::api::router::{Router, SubdirMap};
|
||||||
use proxmox::{sortable, identity};
|
use proxmox::{sortable, identity};
|
||||||
use proxmox::{http_err, list_subdirs_api_method};
|
use proxmox::{http_err, list_subdirs_api_method};
|
||||||
|
@ -11,7 +11,9 @@ use crate::tools;
|
||||||
use crate::tools::ticket::*;
|
use crate::tools::ticket::*;
|
||||||
use crate::auth_helpers::*;
|
use crate::auth_helpers::*;
|
||||||
use crate::api2::types::*;
|
use crate::api2::types::*;
|
||||||
|
|
||||||
use crate::config::cached_user_info::CachedUserInfo;
|
use crate::config::cached_user_info::CachedUserInfo;
|
||||||
|
use crate::config::acl::PRIV_PERMISSIONS_MODIFY;
|
||||||
|
|
||||||
pub mod user;
|
pub mod user;
|
||||||
pub mod domain;
|
pub mod domain;
|
||||||
|
@ -111,7 +113,7 @@ fn create_ticket(username: String, password: String) -> Result<Value, Error> {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
access: {
|
access: {
|
||||||
description: "Anybody is allowed to change there own password. The Superuser may change any password.",
|
description: "Anybody is allowed to change there own password. In addition, users with 'Permissions:Modify' privilege may change any password.",
|
||||||
permission: &Permission::Anybody,
|
permission: &Permission::Anybody,
|
||||||
},
|
},
|
||||||
|
|
||||||
|
@ -133,6 +135,14 @@ fn change_password(
|
||||||
|
|
||||||
if userid == "root@pam" { allowed = true; }
|
if userid == "root@pam" { allowed = true; }
|
||||||
|
|
||||||
|
if !allowed {
|
||||||
|
use crate::config::cached_user_info::CachedUserInfo;
|
||||||
|
|
||||||
|
let user_info = CachedUserInfo::new()?;
|
||||||
|
let privs = user_info.lookup_privs(¤t_user, &[]);
|
||||||
|
if (privs & PRIV_PERMISSIONS_MODIFY) != 0 { allowed = true; }
|
||||||
|
}
|
||||||
|
|
||||||
if !allowed {
|
if !allowed {
|
||||||
bail!("you are not authorized to change the password.");
|
bail!("you are not authorized to change the password.");
|
||||||
}
|
}
|
||||||
|
|
|
@ -6,7 +6,7 @@ use proxmox::api::schema::{Schema, StringSchema};
|
||||||
|
|
||||||
use crate::api2::types::*;
|
use crate::api2::types::*;
|
||||||
use crate::config::user;
|
use crate::config::user;
|
||||||
use crate::config::acl::{PRIV_SYS_AUDIT, PRIV_SYS_MODIFY};
|
use crate::config::acl::{PRIV_SYS_AUDIT, PRIV_PERMISSIONS_MODIFY};
|
||||||
|
|
||||||
pub const PBS_PASSWORD_SCHEMA: Schema = StringSchema::new("User Password.")
|
pub const PBS_PASSWORD_SCHEMA: Schema = StringSchema::new("User Password.")
|
||||||
.format(&PASSWORD_FORMAT)
|
.format(&PASSWORD_FORMAT)
|
||||||
|
@ -111,7 +111,7 @@ pub fn list_users(
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
access: {
|
access: {
|
||||||
permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
|
permission: &Permission::Privilege(&[], PRIV_PERMISSIONS_MODIFY, false),
|
||||||
},
|
},
|
||||||
)]
|
)]
|
||||||
/// Create new user.
|
/// Create new user.
|
||||||
|
@ -208,7 +208,7 @@ pub fn read_user(userid: String) -> Result<Value, Error> {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
access: {
|
access: {
|
||||||
permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
|
permission: &Permission::Privilege(&[], PRIV_PERMISSIONS_MODIFY, false),
|
||||||
},
|
},
|
||||||
)]
|
)]
|
||||||
/// Update user configuration.
|
/// Update user configuration.
|
||||||
|
@ -290,7 +290,7 @@ pub fn update_user(
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
access: {
|
access: {
|
||||||
permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
|
permission: &Permission::Privilege(&[], PRIV_PERMISSIONS_MODIFY, false),
|
||||||
},
|
},
|
||||||
)]
|
)]
|
||||||
/// Remove a user from the configuration file.
|
/// Remove a user from the configuration file.
|
||||||
|
|
|
@ -19,6 +19,8 @@ pub const PRIV_DATASTORE_AUDIT: u64 = 1 << 3;
|
||||||
pub const PRIV_DATASTORE_ALLOCATE: u64 = 1 << 4;
|
pub const PRIV_DATASTORE_ALLOCATE: u64 = 1 << 4;
|
||||||
pub const PRIV_DATASTORE_ALLOCATE_SPACE: u64 = 1 << 5;
|
pub const PRIV_DATASTORE_ALLOCATE_SPACE: u64 = 1 << 5;
|
||||||
|
|
||||||
|
pub const PRIV_PERMISSIONS_MODIFY: u64 = 1 << 6;
|
||||||
|
|
||||||
pub const ROLE_ADMIN: u64 = std::u64::MAX;
|
pub const ROLE_ADMIN: u64 = std::u64::MAX;
|
||||||
pub const ROLE_NO_ACCESS: u64 = 0;
|
pub const ROLE_NO_ACCESS: u64 = 0;
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue