[pve-devel] [PATCH manager 3/4] fix #5722: ui: api token: allow unprivileged users to create their own api tokens
Daniel Kral
d.kral at proxmox.com
Thu Oct 31 14:46:28 CET 2024
Since `48a66a12ee19a8d14e92827623aa005c2ab2c06c` (ui: api token:
rewrite), the TokenEdit edit modal is prefilled with the userid, which
is currently logged in.
The selector items in Proxmox.form.UserSelector used in the TokenEdit
component are filled from the `/access/users` API endpoint, therefore
the user selection is restricted to which the user has "Sys.Audit" or
"User.Modify" permissions and the current authenticated user themselves.
Therefore, the button can be accessible to unprivileged users as well.
This change allows users without the "User.Modify" permission to add API
tokens, since this is already allowed by the API endpoint
`/access/users/{userid}/token/{tokenid}`.
Signed-off-by: Daniel Kral <d.kral at proxmox.com>
---
www/manager6/dc/TokenView.js | 1 -
1 file changed, 1 deletion(-)
diff --git a/www/manager6/dc/TokenView.js b/www/manager6/dc/TokenView.js
index 7d6d4274..d275a1c5 100644
--- a/www/manager6/dc/TokenView.js
+++ b/www/manager6/dc/TokenView.js
@@ -74,7 +74,6 @@ Ext.define('PVE.dc.TokenView', {
let tbar = [
{
text: gettext('Add'),
- disabled: !caps.access['User.Modify'],
handler: function(btn, e) {
let data = {};
let win = Ext.create('PVE.dc.TokenEdit', {
--
2.39.5
More information about the pve-devel
mailing list