[pmg-devel] superseded: [PATCH pmg-api] fix #5438: api: mimetypes: allow all authenticated users

Stoiko Ivanov s.ivanov at proxmox.com
Tue Sep 23 11:26:49 CEST 2025


fixed a glitch in the commit message in:
https://lore.proxmox.com/pmg-devel/20250923092611.5058-1-s.ivanov@proxmox.com/T/#u

On Tue, 23 Sep 2025 10:24:31 +0200
Stoiko Ivanov <s.ivanov at proxmox.com> wrote:

> The list of mime-types recognized by the system is not really
> sensitive information. The call itself reads a directory from disk,
> which technically has a potential for causing load (but that should be
> cached after the first read).
> 
> Allowing it for all authenticated backend users should be ok.
> 
> The issue itself is fixed by allowing all 'admin' users to
> access it, as they are the ones who can edit what-objects (where this
> is queried).
> 
> To err on the cautious side the patch still only allows admin users.
> 
> Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
> ---
> 
>  src/PMG/API2/MimeTypes.pm | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/src/PMG/API2/MimeTypes.pm b/src/PMG/API2/MimeTypes.pm
> index f18879fc..688c68eb 100644
> --- a/src/PMG/API2/MimeTypes.pm
> +++ b/src/PMG/API2/MimeTypes.pm
> @@ -73,6 +73,7 @@ __PACKAGE__->register_method({
>      path => '',
>      method => 'GET',
>      description => "Get Mime Types List",
> +    permissions => { check => ['admin'] },
>      parameters => {
>          additionalProperties => 0,
>      },





More information about the pmg-devel mailing list