From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox-backup] fix #3015: allow user self-service
Date: Fri, 18 Sep 2020 15:01:06 +0200 [thread overview]
Message-ID: <20200918130107.2744333-1-f.gruenbichler@proxmox.com> (raw)
listing, updating or deleting a user is now possible for the user
itself, in addition to higher-privileged users that have appropriate
privileges on '/access/users'.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
Notes:
requires bumped proxmox crate with Permission::UserParam support
src/api2/access/user.rs | 35 ++++++++++++++++++++++++++++-------
1 file changed, 28 insertions(+), 7 deletions(-)
diff --git a/src/api2/access/user.rs b/src/api2/access/user.rs
index ad50f2d9..432a48e1 100644
--- a/src/api2/access/user.rs
+++ b/src/api2/access/user.rs
@@ -8,6 +8,7 @@ use proxmox::tools::fs::open_file_locked;
use crate::api2::types::*;
use crate::config::user;
use crate::config::acl::{PRIV_SYS_AUDIT, PRIV_PERMISSIONS_MODIFY};
+use crate::config::cached_user_info::CachedUserInfo;
pub const PBS_PASSWORD_SCHEMA: Schema = StringSchema::new("User Password.")
.format(&PASSWORD_FORMAT)
@@ -25,10 +26,11 @@ pub const PBS_PASSWORD_SCHEMA: Schema = StringSchema::new("User Password.")
items: { type: user::User },
},
access: {
- permission: &Permission::Privilege(&["access", "users"], PRIV_SYS_AUDIT, false),
+ permission: &Permission::Anybody,
+ description: "Returns all or just the logged-in user, depending on privileges.",
},
)]
-/// List all users
+/// List users
pub fn list_users(
_param: Value,
_info: &ApiMethod,
@@ -37,11 +39,21 @@ pub fn list_users(
let (config, digest) = user::config()?;
- let list = config.convert_to_typed_array("user")?;
+ let userid: Userid = rpcenv.get_user().unwrap().parse()?;
+ let user_info = CachedUserInfo::new()?;
+
+ let top_level_privs = user_info.lookup_privs(&userid, &["access", "users"]);
+ let top_level_allowed = (top_level_privs & PRIV_SYS_AUDIT) != 0;
+
+ let filter_by_privs = |user: &user::User| {
+ top_level_allowed || user.userid == userid
+ };
+
+ let list:Vec<user::User> = config.convert_to_typed_array("user")?;
rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into();
- Ok(list)
+ Ok(list.into_iter().filter(filter_by_privs).collect())
}
#[api(
@@ -124,7 +136,10 @@ pub fn create_user(password: Option<String>, param: Value) -> Result<(), Error>
type: user::User,
},
access: {
- permission: &Permission::Privilege(&["access", "users"], PRIV_SYS_AUDIT, false),
+ permission: &Permission::Or(&[
+ &Permission::Privilege(&["access", "users"], PRIV_SYS_AUDIT, false),
+ &Permission::UserParam("userid"),
+ ]),
},
)]
/// Read user configuration data.
@@ -177,7 +192,10 @@ pub fn read_user(userid: Userid, mut rpcenv: &mut dyn RpcEnvironment) -> Result<
},
},
access: {
- permission: &Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
+ permission: &Permission::Or(&[
+ &Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
+ &Permission::UserParam("userid"),
+ ]),
},
)]
/// Update user configuration.
@@ -258,7 +276,10 @@ pub fn update_user(
},
},
access: {
- permission: &Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
+ permission: &Permission::Or(&[
+ &Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
+ &Permission::UserParam("userid"),
+ ]),
},
)]
/// Remove a user from the configuration file.
--
2.20.1
next reply other threads:[~2020-09-18 13:01 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-18 13:01 Fabian Grünbichler [this message]
2020-09-18 13:01 ` [pbs-devel] [PATCH proxmox] permissions: introduce UserParam permission Fabian Grünbichler
2020-09-18 13:51 ` Dietmar Maurer
2020-09-18 16:20 ` Thomas Lamprecht
2020-09-19 4:38 ` Dietmar Maurer
2020-09-18 16:42 ` [pbs-devel] applied: " Thomas Lamprecht
2020-09-18 13:51 ` [pbs-devel] applied: [PATCH proxmox-backup] fix #3015: allow user self-service Dietmar Maurer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200918130107.2744333-1-f.gruenbichler@proxmox.com \
--to=f.gruenbichler@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox