From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id DAD3562DAF for ; Fri, 18 Sep 2020 15:01:42 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id D003516407 for ; Fri, 18 Sep 2020 15:01:12 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [212.186.127.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 2C43B163FC for ; Fri, 18 Sep 2020 15:01:12 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id E3CBE45439 for ; Fri, 18 Sep 2020 15:01:11 +0200 (CEST) From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= To: pbs-devel@lists.proxmox.com Date: Fri, 18 Sep 2020 15:01:06 +0200 Message-Id: <20200918130107.2744333-1-f.gruenbichler@proxmox.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.029 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [user.rs] Subject: [pbs-devel] [PATCH proxmox-backup] fix #3015: allow user self-service X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Sep 2020 13:01:42 -0000 listing, updating or deleting a user is now possible for the user itself, in addition to higher-privileged users that have appropriate privileges on '/access/users'. Signed-off-by: Fabian Grünbichler --- Notes: requires bumped proxmox crate with Permission::UserParam support src/api2/access/user.rs | 35 ++++++++++++++++++++++++++++------- 1 file changed, 28 insertions(+), 7 deletions(-) diff --git a/src/api2/access/user.rs b/src/api2/access/user.rs index ad50f2d9..432a48e1 100644 --- a/src/api2/access/user.rs +++ b/src/api2/access/user.rs @@ -8,6 +8,7 @@ use proxmox::tools::fs::open_file_locked; use crate::api2::types::*; use crate::config::user; use crate::config::acl::{PRIV_SYS_AUDIT, PRIV_PERMISSIONS_MODIFY}; +use crate::config::cached_user_info::CachedUserInfo; pub const PBS_PASSWORD_SCHEMA: Schema = StringSchema::new("User Password.") .format(&PASSWORD_FORMAT) @@ -25,10 +26,11 @@ pub const PBS_PASSWORD_SCHEMA: Schema = StringSchema::new("User Password.") items: { type: user::User }, }, access: { - permission: &Permission::Privilege(&["access", "users"], PRIV_SYS_AUDIT, false), + permission: &Permission::Anybody, + description: "Returns all or just the logged-in user, depending on privileges.", }, )] -/// List all users +/// List users pub fn list_users( _param: Value, _info: &ApiMethod, @@ -37,11 +39,21 @@ pub fn list_users( let (config, digest) = user::config()?; - let list = config.convert_to_typed_array("user")?; + let userid: Userid = rpcenv.get_user().unwrap().parse()?; + let user_info = CachedUserInfo::new()?; + + let top_level_privs = user_info.lookup_privs(&userid, &["access", "users"]); + let top_level_allowed = (top_level_privs & PRIV_SYS_AUDIT) != 0; + + let filter_by_privs = |user: &user::User| { + top_level_allowed || user.userid == userid + }; + + let list:Vec = config.convert_to_typed_array("user")?; rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into(); - Ok(list) + Ok(list.into_iter().filter(filter_by_privs).collect()) } #[api( @@ -124,7 +136,10 @@ pub fn create_user(password: Option, param: Value) -> Result<(), Error> type: user::User, }, access: { - permission: &Permission::Privilege(&["access", "users"], PRIV_SYS_AUDIT, false), + permission: &Permission::Or(&[ + &Permission::Privilege(&["access", "users"], PRIV_SYS_AUDIT, false), + &Permission::UserParam("userid"), + ]), }, )] /// Read user configuration data. @@ -177,7 +192,10 @@ pub fn read_user(userid: Userid, mut rpcenv: &mut dyn RpcEnvironment) -> Result< }, }, access: { - permission: &Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false), + permission: &Permission::Or(&[ + &Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false), + &Permission::UserParam("userid"), + ]), }, )] /// Update user configuration. @@ -258,7 +276,10 @@ pub fn update_user( }, }, access: { - permission: &Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false), + permission: &Permission::Or(&[ + &Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false), + &Permission::UserParam("userid"), + ]), }, )] /// Remove a user from the configuration file. -- 2.20.1