[pmg-devel] [PATCH pmg-api] fix #5438: api: mimetypes: allow all authenticated users

Stoiko Ivanov s.ivanov at proxmox.com
Tue Sep 23 10:24:31 CEST 2025


The list of mime-types recognized by the system is not really
sensitive information. The call itself reads a directory from disk,
which technically has a potential for causing load (but that should be
cached after the first read).

Allowing it for all authenticated backend users should be ok.

The issue itself is fixed by allowing all 'admin' users to
access it, as they are the ones who can edit what-objects (where this
is queried).

To err on the cautious side the patch still only allows admin users.

Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
---

 src/PMG/API2/MimeTypes.pm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/PMG/API2/MimeTypes.pm b/src/PMG/API2/MimeTypes.pm
index f18879fc..688c68eb 100644
--- a/src/PMG/API2/MimeTypes.pm
+++ b/src/PMG/API2/MimeTypes.pm
@@ -73,6 +73,7 @@ __PACKAGE__->register_method({
     path => '',
     method => 'GET',
     description => "Get Mime Types List",
+    permissions => { check => ['admin'] },
     parameters => {
         additionalProperties => 0,
     },
-- 
2.39.5





More information about the pmg-devel mailing list