diff --git a/src/PVE/API2/Role.pm b/src/PVE/API2/Role.pm index 5cb5b30..a924018 100644 --- a/src/PVE/API2/Role.pm +++ b/src/PVE/API2/Role.pm @@ -5,6 +5,7 @@ use warnings; use PVE::AccessControl (); use PVE::Cluster qw(cfs_read_file cfs_write_file); +use PVE::Exception qw(raise_param_exc); use PVE::JSONSchema qw(get_standard_option register_standard_option); use base qw(PVE::RESTHandler); @@ -82,11 +83,17 @@ __PACKAGE__->register_method ({ code => sub { my ($param) = @_; + my $role = $param->{roleid}; + + if ($role =~ /^PVE/i) { + raise_param_exc({ + roleid => "cannot use role ID starting with the (case-insensitive) 'PVE' namespace", + }); + } + PVE::AccessControl::lock_user_config(sub { my $usercfg = cfs_read_file("user.cfg"); - my $role = $param->{roleid}; - die "role '$role' already exists\n" if $usercfg->{roles}->{$role}; $usercfg->{roles}->{$role} = {};