Skip to content

P
pve-manager
Commit e0993680 authored by Dietmar Maurer's avatar Dietmar Maurer
Browse files
Options

implement PasswordEdit dialog 

And cleanup permission check code.
parent a4d3758c
Hide whitespace changes
Inline Side-by-side
Showing with 97 additions and 32 deletions
PVE/API2/Cluster.pm
View file @ e0993680
...@@ -106,7 +106,7 @@ __PACKAGE__->register_method({ ...@@ -106,7 +106,7 @@ __PACKAGE__->register_method({
my $max = $param->{max} || 0; my $max = $param->{max} || 0;
my $user = $rpcenv->get_user(); my $user = $rpcenv->get_user();
my $admin = $rpcenv->check($user, "/", [ 'Sys.Syslog' ]); my $admin = $rpcenv->check($user, "/", [ 'Sys.Syslog' ], 1);
my $loguser = $admin ? '' : $user; my $loguser = $admin ? '' : $user;
...@@ -162,7 +162,7 @@ __PACKAGE__->register_method({ ...@@ -162,7 +162,7 @@ __PACKAGE__->register_method({
my $data = $idlist->{$vmid}; my $data = $idlist->{$vmid};
next if !$rpcenv->check($user, "/vms/$vmid", [ 'VM.Audit' ]); next if !$rpcenv->check($user, "/vms/$vmid", [ 'VM.Audit' ], 1);
my $entry = { my $entry = {
id => "$data->{type}/$vmid", id => "$data->{type}/$vmid",
...@@ -221,7 +221,7 @@ __PACKAGE__->register_method({ ...@@ -221,7 +221,7 @@ __PACKAGE__->register_method({
foreach my $storeid (@sids) { foreach my $storeid (@sids) {
my $scfg = PVE::Storage::storage_config($cfg, $storeid); my $scfg = PVE::Storage::storage_config($cfg, $storeid);
next if !$rpcenv->check($user, "/storage/$storeid", [ 'Datastore.Audit' ]); next if !$rpcenv->check($user, "/storage/$storeid", [ 'Datastore.Audit' ], 1);
# we create a entry for each node # we create a entry for each node
foreach my $node (@$nodelist) { foreach my $node (@$nodelist) {
next if !PVE::Storage::storage_check_enabled($cfg, $storeid, $node, 1); next if !PVE::Storage::storage_check_enabled($cfg, $storeid, $node, 1);
...@@ -276,7 +276,7 @@ __PACKAGE__->register_method({ ...@@ -276,7 +276,7 @@ __PACKAGE__->register_method({
return $res if !$tlist; return $res if !$tlist;
my $all = $rpcenv->check($user, "/", [ 'Sys.Audit' ]); my $all = $rpcenv->check($user, "/", [ 'Sys.Audit' ], 1);
foreach my $task (@$tlist) { foreach my $task (@$tlist) {
push @$res, $task if $all || ($task->{user} eq $user); push @$res, $task if $all || ($task->{user} eq $user);
......
PVE/API2/Tasks.pm
View file @ e0993680
...@@ -75,7 +75,7 @@ __PACKAGE__->register_method({ ...@@ -75,7 +75,7 @@ __PACKAGE__->register_method({
my $count = 0; my $count = 0;
my $line; my $line;
my $auditor = $rpcenv->check($user, "/nodes/$node", [ 'Sys.Audit' ]); my $auditor = $rpcenv->check($user, "/nodes/$node", [ 'Sys.Audit' ], 1);
my $parse_line = sub { my $parse_line = sub {
if ($line =~ m/^(\S+)(\s([0-9A-Za-z]{8})(\s(\S.*))?)?$/) { if ($line =~ m/^(\S+)(\s([0-9A-Za-z]{8})(\s(\S.*))?)?$/) {
...@@ -175,9 +175,9 @@ __PACKAGE__->register_method({ ...@@ -175,9 +175,9 @@ __PACKAGE__->register_method({
my $user = $rpcenv->get_user(); my $user = $rpcenv->get_user();
my $node = $param->{node}; my $node = $param->{node};
my $sysadmin = $rpcenv->check($user, "/nodes/$node", [ 'Sys.Console' ]); if ($user ne $task->{user}) {
die "Permission check failed\n" $rpcenv->check($user, "/nodes/$node", [ 'Sys.Console' ]);
if !($sysadmin || $user eq $task->{user}); }
PVE::RPCEnvironment::check_worker($param->{upid}, 1); PVE::RPCEnvironment::check_worker($param->{upid}, 1);
...@@ -237,9 +237,9 @@ __PACKAGE__->register_method({ ...@@ -237,9 +237,9 @@ __PACKAGE__->register_method({
my $user = $rpcenv->get_user(); my $user = $rpcenv->get_user();
my $node = $param->{node}; my $node = $param->{node};
my $auditor = $rpcenv->check($user, "/nodes/$node", [ 'Sys.Audit' ]); if ($user ne $task->{user}) {
die "Permission check failed\n" $rpcenv->check($user, "/nodes/$node", [ 'Sys.Audit' ]);
if !($auditor || $user eq $task->{user}); }
my $fh = IO::File->new($filename, "r"); my $fh = IO::File->new($filename, "r");
raise_param_exc({ upid => "no such task - unable to open file - $!" }) if !$fh; raise_param_exc({ upid => "no such task - unable to open file - $!" }) if !$fh;
...@@ -309,9 +309,9 @@ __PACKAGE__->register_method({ ...@@ -309,9 +309,9 @@ __PACKAGE__->register_method({
my $user = $rpcenv->get_user(); my $user = $rpcenv->get_user();
my $node = $param->{node}; my $node = $param->{node};
my $auditor = $rpcenv->check($user, "/nodes/$node", [ 'Sys.Audit' ]); if ($user ne $task->{user}) {
die "Permission check failed\n" $rpcenv->check($user, "/nodes/$node", [ 'Sys.Audit' ]);
if !($auditor || $user eq $task->{user}); }
my $pstart = PVE::ProcFSTools::read_proc_starttime($task->{pid}); my $pstart = PVE::ProcFSTools::read_proc_starttime($task->{pid});
$task->{status} = ($pstart && ($pstart == $task->{pstart})) ? $task->{status} = ($pstart && ($pstart == $task->{pstart})) ?
......
PVE/REST.pm
View file @ e0993680
...@@ -15,6 +15,7 @@ use LWP::UserAgent; ...@@ -15,6 +15,7 @@ use LWP::UserAgent;
use HTTP::Request::Common; use HTTP::Request::Common;
use HTTP::Status qw(:constants :is status_message); use HTTP::Status qw(:constants :is status_message);
use HTML::Entities; use HTML::Entities;
use PVE::Exception qw(raise raise_perm_exc);
use PVE::JSONSchema; use PVE::JSONSchema;
use PVE::AccessControl; use PVE::AccessControl;
use PVE::RPCEnvironment; use PVE::RPCEnvironment;
...@@ -275,11 +276,11 @@ my $check_permissions = sub { ...@@ -275,11 +276,11 @@ my $check_permissions = sub {
return 1 if !$username && $perm->{user} eq 'world'; return 1 if !$username && $perm->{user} eq 'world';
return 0 if !$username; raise_perm_exc("user != null") if !$username;
return 1 if $username eq 'root@pam'; return 1 if $username eq 'root@pam';
die "permission check failed (user != root)\n" if !$perm; raise_perm_exc('user != root@pam') if !$perm;
return 1 if $perm->{user} && $perm->{user} eq 'all'; return 1 if $perm->{user} && $perm->{user} eq 'all';
...@@ -288,14 +289,11 @@ my $check_permissions = sub { ...@@ -288,14 +289,11 @@ my $check_permissions = sub {
if ($perm->{path} && $perm->{privs}) { if ($perm->{path} && $perm->{privs}) {
my $path = PVE::Tools::template_replace($perm->{path}, $param); my $path = PVE::Tools::template_replace($perm->{path}, $param);
if (!$rpcenv->check($username, $path, $perm->{privs})) { $rpcenv->check($username, $path, $perm->{privs});
my $privstr = join(',', @{$perm->{privs}});
die "Permission check failed ($path, $privstr)\n";
}
return 1; return 1;
} }
die "Permission check failed\n"; raise_perm_exc();
}; };
sub rest_handler { sub rest_handler {
...@@ -332,7 +330,7 @@ sub rest_handler { ...@@ -332,7 +330,7 @@ sub rest_handler {
my ($node, $storeid) = ($1, $2); my ($node, $storeid) = ($1, $2);
my $perm = { my $perm = {
path => "/storage/$storeid", path => "/storage/$storeid",
privs => [ 'abc' ], privs => [ 'Datastore.AllocateSpace' ],
}; };
&$check_permissions($rpcenv, $perm, $username, {}); &$check_permissions($rpcenv, $perm, $username, {});
$isUpload = 1; $isUpload = 1;
...@@ -347,7 +345,7 @@ sub rest_handler { ...@@ -347,7 +345,7 @@ sub rest_handler {
if (my $err = $@) { if (my $err = $@) {
return { return {
status => HTTP_UNAUTHORIZED, status => HTTP_UNAUTHORIZED,
message => $err, message => "$err", # always convert exception to string
}; };
} }
} }
...@@ -392,7 +390,7 @@ sub rest_handler { ...@@ -392,7 +390,7 @@ sub rest_handler {
if (my $err = $@) { if (my $err = $@) {
return { return {
status => HTTP_FORBIDDEN, status => HTTP_FORBIDDEN,
message => $err, message => "$err", # always convert exception to string
}; };
} }
...@@ -411,7 +409,7 @@ sub rest_handler { ...@@ -411,7 +409,7 @@ sub rest_handler {
if (my $err = $@) { if (my $err = $@) {
return { return {
status => HTTP_INTERNAL_SERVER_ERROR, status => HTTP_INTERNAL_SERVER_ERROR,
message => $err, message => "$err", # always convert exception to string
}; };
} }
if ($remip) { if ($remip) {
...@@ -446,11 +444,11 @@ sub rest_handler { ...@@ -446,11 +444,11 @@ sub rest_handler {
if ($err) { if ($err) {
if (ref($err) eq "PVE::Exception") { if (ref($err) eq "PVE::Exception") {
$resp->{status} = $err->{code} || HTTP_INTERNAL_SERVER_ERROR; $resp->{status} = $err->{code} || HTTP_INTERNAL_SERVER_ERROR;
$resp->{message} = $err->{msg} || $@;
$resp->{errors} = $err->{errors} if $err->{errors}; $resp->{errors} = $err->{errors} if $err->{errors};
$resp->{message} = $err->{msg};
} else { } else {
$resp->{status} = HTTP_INTERNAL_SERVER_ERROR; $resp->{status} = HTTP_INTERNAL_SERVER_ERROR;
$resp->{message} = $@; $resp->{message} = "$err";
} }
} }
......
www/manager/dc/ACLView.js
View file @ e0993680
...@@ -178,6 +178,8 @@ Ext.define('PVE.dc.ACLView', { ...@@ -178,6 +178,8 @@ Ext.define('PVE.dc.ACLView', {
} }
}); });
PVE.Utils.monStoreErrors(me, store);
Ext.apply(me, { Ext.apply(me, {
store: store, store: store,
selModel: sm, selModel: sm,
......
www/manager/dc/GroupView.js
View file @ e0993680
...@@ -75,6 +75,8 @@ Ext.define('PVE.dc.GroupView', { ...@@ -75,6 +75,8 @@ Ext.define('PVE.dc.GroupView', {
edit_btn, remove_btn edit_btn, remove_btn
]; ];
PVE.Utils.monStoreErrors(me, store);
Ext.apply(me, { Ext.apply(me, {
store: store, store: store,
selModel: sm, selModel: sm,
......
www/manager/dc/RoleView.js
View file @ e0993680
...@@ -26,6 +26,8 @@ Ext.define('PVE.dc.RoleView', { ...@@ -26,6 +26,8 @@ Ext.define('PVE.dc.RoleView', {
return value.replace(/\,/g, ' '); return value.replace(/\,/g, ' ');
}; };
PVE.Utils.monStoreErrors(me, store);
Ext.apply(me, { Ext.apply(me, {
store: store, store: store,
stateful: false, stateful: false,
......
www/manager/dc/UserEdit.js
View file @ e0993680
...@@ -136,9 +136,7 @@ Ext.define('PVE.dc.UserEdit', { ...@@ -136,9 +136,7 @@ Ext.define('PVE.dc.UserEdit', {
}, },
submitValue: false submitValue: false
}); });
} else { }
update_passwd_field(me.userid.match(/@([^@]+)$/)[1]);
}
var ipanel = Ext.create('PVE.panel.InputPanel', { var ipanel = Ext.create('PVE.panel.InputPanel', {
column1: column1, column1: column1,
......
www/manager/dc/UserView.js
View file @ e0993680
Ext.define('PVE.window.PasswordEdit', {
extend: 'PVE.window.Edit',
initComponent : function() {
var me = this;
if (!me.userid) {
throw "no userid specified";
}
var validate_pw = function() {
if (verifypw.getValue() !== pwfield.getValue()) {
return gettext("Passwords does not match");
}
return true;
};
var verifypw = Ext.createWidget('textfield', {
inputType: 'password',
fieldLabel: gettext('Verify Password'),
name: 'verifypassword',
submitValue: false,
validator: validate_pw
});
var pwfield = Ext.createWidget('textfield', {
inputType: 'password',
fieldLabel: gettext('Password'),
minLength: 5,
name: 'password',
validator: validate_pw
});
Ext.apply(me, {
subject: gettext('Password'),
url: '/api2/extjs/access/password',
items: [
pwfield, verifypw,
{
xtype: 'hiddenfield',
name: 'userid',
value: me.userid,
}
]
});
me.callParent();
}
});
Ext.define('PVE.dc.UserView', { Ext.define('PVE.dc.UserView', {
extend: 'Ext.grid.GridPanel', extend: 'Ext.grid.GridPanel',
...@@ -69,6 +119,19 @@ Ext.define('PVE.dc.UserView', { ...@@ -69,6 +119,19 @@ Ext.define('PVE.dc.UserView', {
handler: run_editor handler: run_editor
}); });
var pwchange_btn = new PVE.button.Button({
text: gettext('Password'),
disabled: true,
selModel: sm,
handler: function(btn, event, rec) {
var win = Ext.create('PVE.window.PasswordEdit',{
userid: rec.data.userid
});
win.on('destroy', reload);
win.show();
}
});
var tbar = [ var tbar = [
{ {
text: gettext('Create'), text: gettext('Create'),
...@@ -79,7 +142,7 @@ Ext.define('PVE.dc.UserView', { ...@@ -79,7 +142,7 @@ Ext.define('PVE.dc.UserView', {
win.show(); win.show();
} }
}, },
edit_btn, remove_btn edit_btn, remove_btn, pwchange_btn
]; ];
var render_full_name = function(firstname, metaData, record) { var render_full_name = function(firstname, metaData, record) {
......
www/manager/window/NotesEdit.js
View file @ e0993680
...@@ -5,7 +5,7 @@ Ext.define('PVE.window.NotesEdit', { ...@@ -5,7 +5,7 @@ Ext.define('PVE.window.NotesEdit', {
var me = this; var me = this;
Ext.apply(me, { Ext.apply(me, {
title: "Notes", title: gettext('Notes'),
width: 600, width: 600,
layout: 'fit', layout: 'fit',
items: { items: {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023