[pve-devel] [PATCH v3 access-control 12/20] api: disallow some paths for API tokens
Fabian Grünbichler
f.gruenbichler at proxmox.com
Tue Jan 21 13:54:10 CET 2020
Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
Notes:
requires versioned dependency on libpve-common-perl
v2->v3:
- rename notoken to allowtoken, negate semantics accordingly
requires versioned dependency on libpve-common-perl
requires a versioned depends on libpve-common-perl
PVE/API2/AccessControl.pm | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/PVE/API2/AccessControl.pm b/PVE/API2/AccessControl.pm
index 273178d..c6499be 100644
--- a/PVE/API2/AccessControl.pm
+++ b/PVE/API2/AccessControl.pm
@@ -234,6 +234,7 @@ __PACKAGE__->register_method ({
user => 'world'
},
protected => 1, # else we can't access shadow files
+ allowtoken => 0, # we don't want tokens to create tickets
description => "Create or verify authentication ticket.",
parameters => {
additionalProperties => 0,
@@ -339,6 +340,7 @@ __PACKAGE__->register_method ({
],
},
protected => 1, # else we can't access shadow files
+ allowtoken => 0, # we don't want tokens to change the regular user password
description => "Change user password.",
parameters => {
additionalProperties => 0,
@@ -470,6 +472,7 @@ __PACKAGE__->register_method ({
],
},
protected => 1, # else we can't access shadow files
+ allowtoken => 0, # we don't want tokens to change the regular user's TFA settings
description => "Change user u2f authentication.",
parameters => {
additionalProperties => 0,
@@ -594,6 +597,7 @@ __PACKAGE__->register_method({
method => 'POST',
permissions => { user => 'all' },
protected => 1, # else we can't access shadow files
+ allowtoken => 0, # we don't want tokens to access TFA information
description => 'Finish a u2f challenge.',
parameters => {
additionalProperties => 0,
--
2.20.1
More information about the pve-devel
mailing list