proxmox-mirrors/pve-access-control
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-access-control synced 2025-06-14 09:28:09 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
225 Commits 5 Branches 0 Tags 868 KiB
e41cc73c52
Commit Graph

50 Commits

Author SHA1 Message Date
Wolfgang Bumiller
e41cc73c52 api: check for special roles before locking the usercfg 2017-09-22 08:52:55 +02:00
Philip Abernethy
0a6e09fd47 Whitespace fixes 
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 2017-09-22 08:38:50 +02:00
Philip Abernethy
5654af83fa Remove unused Dumper uses 
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 2017-09-22 08:38:48 +02:00
Philip Abernethy
894e6f0c4b fix #1501: pveum: die when deleting special role 
Die with a helpful error message instead of silently ignoring the user
when trying to delete a special role.
Also add a property to the API answer for possible later use by the
WebUI.

Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 2017-09-22 08:38:21 +02:00
Wolfgang Bumiller
36dd9dbdb3 fix another typo 2017-09-21 10:19:27 +02:00
Thomas Lamprecht
14658ad8ba api: fix typo in 'GET ticket' description 
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 2017-09-21 09:13:34 +02:00
Thomas Lamprecht
a2c18811d3 API/ticket: rework coarse grained permission computation 
We accessed methods from PVE::Storage here but did not define a
"use PVE::Storage". This thus only worked if modules if the
PVE::Storage module got pulled in by something else, by luck.
Simply including said use statement is not an option because
pve-storage is already dependent from pve-access-control, and we want
to avoid cyclic dependencies, especially on the perl module level.

The reason the offending module was used in the first place here
stems from the way how this coarse grained permissions are
calculated.
We check all permission object paths for privileges for an user.
So we got all vmids and all storage ids and computed paths from them.
This works, but is overkill and led to this "illegal" module use.

Instead I opt to not generating all possible paths, but just check
the ones configured plus a small required static set of top level
paths - this allows to generalize handling of the special root@pam
and "normal" users.

It has to be noted that this method is in general just intended for a
coarse capability check to allow hiding a few UI elements which are
not generated by backend calls (which are already permission aware).
The real checks get done by each backend call, automatically for
simple ones and semi-automatically for complex ones.
 2017-09-20 09:33:39 +02:00
Dietmar Maurer
52b2eff3c5 PVE/API2/Domains.pm: fix property description 2017-01-11 12:11:01 +01:00
Dietmar Maurer
3e5bfdf60f pveum: implement bash completion hooks 2015-10-01 17:22:09 +02:00
Dietmar Maurer
30be0de97a allow to write builtin auth domains 
So that we can set tfa, comment, default with the GUI.
 2014-07-18 11:30:19 +02:00
Dietmar Maurer
1abc2c0aee add oath two factor auth, bump version to 3.0-14 2014-07-17 14:04:13 +02:00
Dietmar Maurer
96f8ebd625 add basic support for two factor auth 2014-06-23 11:42:44 +02:00
Dietmar Maurer
39e4e36348 add dummy API for login page 2014-04-30 14:45:57 +02:00
Dietmar Maurer
fe2defd9d5 return correct 401 status code for unauthorized calls 
New HTTP::Server will delay the call by 3 seconds.
 2013-11-18 11:25:32 +01:00
Dietmar Maurer
6126ab75a0 prevent user enumeration attacks 2013-11-18 09:05:04 +01:00
Dietmar Maurer
437be042c2 correctly compute GUI capabilities (consider pools) 2012-05-30 08:47:43 +02:00
Dietmar Maurer
5bb4e06a64 new plugin architecture for Auth modules 2012-05-22 10:43:30 +02:00
Dietmar Maurer
dd2cfee072 return set of privileges on login - can be used to adopt GUI 2012-04-17 10:26:48 +02:00
Dietmar Maurer
e2993b66c3 set propagate flag by default 2012-03-01 12:38:46 +01:00
Dietmar Maurer
4384e19e9b fix return value for empty ACL list 2012-02-10 11:25:23 +01:00
Dietmar Maurer
59321f2682 do not allow to change system user passwords 2012-02-09 11:26:37 +01:00
Dietmar Maurer
f3957883eb moved Pool.pm to pve-manager package 2012-01-27 08:44:22 +01:00
Dietmar Maurer
82b63965eb cleanup permission checks 
Added new Real.AllocateUser priviledge
 2012-01-27 08:34:12 +01:00
Dietmar Maurer
8de1fb5ae3 code cleanup 2012-01-26 14:02:25 +01:00
Dietmar Maurer
9a53427a8e fix return format 2012-01-26 13:47:07 +01:00
Dietmar Maurer
cab28ea50b code cleanup 2012-01-26 13:35:33 +01:00
Dietmar Maurer
399932c682 return array instead of hash 2012-01-26 13:02:07 +01:00
Dietmar Maurer
39c85db819 add pool API 2012-01-26 12:42:01 +01:00
Dietmar Maurer
7b6f1fd306 remove debug message 2012-01-26 09:54:56 +01:00
Dietmar Maurer
fc21a5c220 add description 2012-01-26 08:31:27 +01:00
Dietmar Maurer
19f60b5e3c use User.Allocate instead of User.Add/User.Delete 2012-01-26 08:26:31 +01:00
Dietmar Maurer
e3a3a0d746 implement helper to check if we can modify permission 2012-01-26 08:25:16 +01:00
Dietmar Maurer
4bc17477d8 start pool support, return NoAccess role, fix acl cache 2012-01-25 14:32:12 +01:00
Dietmar Maurer
9691923469 fix access control 2012-01-24 11:50:41 +01:00
Dietmar Maurer
12683df7c4 use new syntax for permission checks 
And use better names for user priviledges.
 2012-01-23 12:14:45 +01:00
Dietmar Maurer
b9180ed235 simplify filter_groups 2012-01-23 09:58:03 +01:00
Dietmar Maurer
37d45debb1 new API to change password 
Started to implement fine grained permission checks.
 2012-01-20 12:45:24 +01:00
Dietmar Maurer
adf8d771d0 fix bug #85: implement vnc tickets 
Those tickets are restricted to a single resource path, and are only valid for
a short period of time (60s).
 2012-01-19 09:27:05 +01:00
Dietmar Maurer
7070c1aee5 rename user_enabled to check_user_enabled 
And add $noerr parameter.
 2012-01-19 06:55:53 +01:00
Dietmar Maurer
a427cecb2b import cfs_read_file 2012-01-18 09:21:21 +01:00
Dietmar Maurer
66b7e98db9 add test if user exists 2012-01-18 07:06:16 +01:00
Dietmar Maurer
d8a56966bc fix bug #85: allow root@pam to generate tickets for other users 2012-01-17 06:42:42 +01:00
Dietmar Maurer
930dcfc8b0 allow user to see his own entry 2012-01-13 13:31:18 +01:00
Dietmar Maurer
fdb30a4cc5 set minimal and maximal password length 2012-01-13 12:18:40 +01:00
Dietmar Maurer
0c1563637a allow to pass emtpy strings to delete settings 2012-01-13 09:42:53 +01:00
Dietmar Maurer
af4a8a8522 allow port 0 to use default value 2012-01-13 09:13:41 +01:00
Dietmar Maurer
a0492cd61b added domain attribute for AD servers 2012-01-13 08:03:25 +01:00
Dietmar Maurer
e652173849 allow to delete all groups 2012-01-12 09:27:32 +01:00
Dietmar Maurer
cb6f2f93ed allow to filter enabled/disabled user 2012-01-11 12:31:50 +01:00
Dietmar Maurer
2c3a6c0aaa iimported from svn 'pve-access-control/trunk' 2011-08-23 07:27:48 +02:00