[pmg-devel] superseded: [PATCH pmg-api] fix #5438: api: mimetypes: allow all authenticated users
Stoiko Ivanov
s.ivanov at proxmox.com
Tue Sep 23 11:26:49 CEST 2025
fixed a glitch in the commit message in:
https://lore.proxmox.com/pmg-devel/20250923092611.5058-1-s.ivanov@proxmox.com/T/#u
On Tue, 23 Sep 2025 10:24:31 +0200
Stoiko Ivanov <s.ivanov at proxmox.com> wrote:
> The list of mime-types recognized by the system is not really
> sensitive information. The call itself reads a directory from disk,
> which technically has a potential for causing load (but that should be
> cached after the first read).
>
> Allowing it for all authenticated backend users should be ok.
>
> The issue itself is fixed by allowing all 'admin' users to
> access it, as they are the ones who can edit what-objects (where this
> is queried).
>
> To err on the cautious side the patch still only allows admin users.
>
> Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
> ---
>
> src/PMG/API2/MimeTypes.pm | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/src/PMG/API2/MimeTypes.pm b/src/PMG/API2/MimeTypes.pm
> index f18879fc..688c68eb 100644
> --- a/src/PMG/API2/MimeTypes.pm
> +++ b/src/PMG/API2/MimeTypes.pm
> @@ -73,6 +73,7 @@ __PACKAGE__->register_method({
> path => '',
> method => 'GET',
> description => "Get Mime Types List",
> + permissions => { check => ['admin'] },
> parameters => {
> additionalProperties => 0,
> },
More information about the pmg-devel
mailing list