[pdm-devel] [PATCH datacenter-manager 2/3] fix #6901: api: add explicit permission check for vnets list
Stefan Hanreich
s.hanreich at proxmox.com
Thu Oct 16 11:24:11 CEST 2025
On 10/16/25 10:12 AM, Shannon Sterz wrote:
>> we use UNAUTHORIZED instead of FORBIDDEN in other places, so imo would
>> be better to do that here too - same for the other 2 patches as well.
>
> this was already discussed for a previous patch series. UNAUTHORIZED
> there is arguably false, as we usually return a 403 FORBIDDEN when a
> user does not have sufficient permissions (e.g. that's what you get if
> you define permissions through the api macro and a user doesn't have
> them). not a 401 UNAUTHORIZED, which we use to indicate that the user
> has not been authenticated (i.e. no or invalid ticket).
>
> iirc Permission::Anybody above means that anybody that has been
> authenticated can access this endpoint (as opposed to Permission::World,
> which means even unauthenticated users can access it). hence, we know
> the user is authenticated here. so this is fine, but returning 401
> UNAUTHORIZED in those other endpoints is wrong imo.
>
> note that the ui relies on that in many cases: a 401 will trigger the
> login prompt to be shown again, a 403 will simply show an error.
>
makes sense, thanks for clearing this up!
More information about the pdm-devel
mailing list