[pve-devel] applied: [PATCH v3 manager 2/9] rest_handler: implement 'allowtoken' property

Thomas Lamprecht t.lamprecht at proxmox.com
Wed Jan 29 21:50:34 CET 2020


On 1/21/20 1:54 PM, Fabian Grünbichler wrote:
> to filter out API paths that are not available with API tokens for
> security reasons, such as access control related endpoints.
> 
> Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
> ---
> 
> Notes:
>     pairs with patch in pve-common that adds this to the schema-schema. any modules
>     setting that flag need a corresponding versioned depends on
>     libpve-common-perl..
>     
>     v2->v3:
>     - rename to allowtoken, negate default value/semantics
> 
>  PVE/HTTPServer.pm | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/PVE/HTTPServer.pm b/PVE/HTTPServer.pm
> index 65f3a1d8..7859081b 100755
> --- a/PVE/HTTPServer.pm
> +++ b/PVE/HTTPServer.pm
> @@ -7,7 +7,7 @@ use PVE::SafeSyslog;
>  use PVE::INotify;
>  use PVE::Tools;
>  use PVE::APIServer::AnyEvent;
> -use PVE::Exception qw(raise_param_exc raise);
> +use PVE::Exception qw(raise_param_exc raise_perm_exc raise);
>  
>  use PVE::RPCEnvironment;
>  use PVE::AccessControl;
> @@ -148,6 +148,9 @@ sub rest_handler {
>  	    $uri_param->{$p} = $params->{$p};
>  	}
>  
> +	raise_perm_exc("URI '$rel_uri' not available with API token, need proper ticket.\n")
> +	    if $auth->{api_token} && !$info->{allowtoken};
> +
>  	# check access permissions
>  	$rpcenv->check_api2_permissions($info->{permissions}, $auth->{userid}, $uri_param);
>  
> 

applied, thanks!





More information about the pve-devel mailing list