src/api2/access/user.rs: add access permissions

src/api2/access.rs

@@ -2,7 +2,7 @@ use failure::*;
 
 use serde_json::{json, Value};
 
-use proxmox::api::{api, RpcEnvironment, Permission};
+use proxmox::api::{api, RpcEnvironment, Permission, UserInformation};
 use proxmox::api::router::{Router, SubdirMap};
 use proxmox::{sortable, identity};
 use proxmox::{http_err, list_subdirs_api_method};
@@ -11,7 +11,9 @@ use crate::tools;
 use crate::tools::ticket::*;
 use crate::auth_helpers::*;
 use crate::api2::types::*;
+
 use crate::config::cached_user_info::CachedUserInfo;
+use crate::config::acl::PRIV_PERMISSIONS_MODIFY;
 
 pub mod user;
 pub mod domain;
@@ -111,7 +113,7 @@ fn create_ticket(username: String, password: String) -> Result<Value, Error> {
         },
     },
     access: {
-        description: "Anybody is allowed to change there own password. The Superuser may change any password.",
+        description: "Anybody is allowed to change there own password. In addition, users with 'Permissions:Modify' privilege may change any password.",
         permission: &Permission::Anybody,
     },
 
@@ -133,6 +135,14 @@ fn change_password(
 
     if userid == "root@pam" { allowed = true; }
 
+    if !allowed {
+        use crate::config::cached_user_info::CachedUserInfo;
+
+        let user_info = CachedUserInfo::new()?;
+        let privs = user_info.lookup_privs(&current_user, &[]);
+        if (privs & PRIV_PERMISSIONS_MODIFY) != 0 { allowed = true; }
+    }
+
     if !allowed {
         bail!("you are not authorized to change the password.");
     }

src/api2/access/user.rs

@@ -6,7 +6,7 @@ use proxmox::api::schema::{Schema, StringSchema};
 
 use crate::api2::types::*;
 use crate::config::user;
-use crate::config::acl::{PRIV_SYS_AUDIT, PRIV_SYS_MODIFY};
+use crate::config::acl::{PRIV_SYS_AUDIT, PRIV_PERMISSIONS_MODIFY};
 
 pub const PBS_PASSWORD_SCHEMA: Schema = StringSchema::new("User Password.")
     .format(&PASSWORD_FORMAT)
@@ -111,7 +111,7 @@ pub fn list_users(
         },
     },
     access: {
-        permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
+        permission: &Permission::Privilege(&[], PRIV_PERMISSIONS_MODIFY, false),
     },
 )]
 /// Create new user.
@@ -208,7 +208,7 @@ pub fn read_user(userid: String) -> Result<Value, Error> {
         },
     },
     access: {
-        permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
+        permission: &Permission::Privilege(&[], PRIV_PERMISSIONS_MODIFY, false),
     },
 )]
 /// Update user configuration.
@@ -290,7 +290,7 @@ pub fn update_user(
         },
     },
     access: {
-        permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
+        permission: &Permission::Privilege(&[], PRIV_PERMISSIONS_MODIFY, false),
     },
 )]
 /// Remove a user from the configuration file.

src/config/acl.rs

@@ -19,6 +19,8 @@ pub const PRIV_DATASTORE_AUDIT: u64              = 1 << 3;
 pub const PRIV_DATASTORE_ALLOCATE: u64           = 1 << 4;
 pub const PRIV_DATASTORE_ALLOCATE_SPACE: u64     = 1 << 5;
 
+pub const PRIV_PERMISSIONS_MODIFY: u64           = 1 << 6;
+
 pub const ROLE_ADMIN: u64 = std::u64::MAX;
 pub const ROLE_NO_ACCESS: u64 = 0;