[pve-devel] [RFC manager 1/3] fix #6094: api: apt: allow to get packages info with Sys.Audit
Fiona Ebner
f.ebner at proxmox.com
Tue May 6 15:52:44 CEST 2025
Am 17.02.25 um 13:19 schrieb Daniel Kral:
> Relax the required permissions to query the current list of available
> package updates and the changelog of a package on a node. Both API
> endpoints do not modify any system state except caching outputs.
>
> Those were probably only "Sys.Modify" before, since both are used in
> conjunction with upgrading packages in the WebGUI, which is only visible
> with that permission, but some users might be interested in this
> information outside of this and/or without being able to upgrade.
>
> Keep Sys.Modify for backwards compatibility.
>
> Signed-off-by: Daniel Kral <d.kral at proxmox.com>
The 'changelog' endpoint does trigger the download of the changelog of
course, but I fail to see how that could be abused for anything, so:
Reviewed-by: Fiona Ebner <f.ebner at proxmox.com>
> ---
> PVE/API2/APT.pm | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/PVE/API2/APT.pm b/PVE/API2/APT.pm
> index 47c50961..2a1de1e6 100644
> --- a/PVE/API2/APT.pm
> +++ b/PVE/API2/APT.pm
> @@ -202,7 +202,7 @@ __PACKAGE__->register_method({
> method => 'GET',
> description => "List available updates.",
> permissions => {
> - check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
> + check => ['perm', '/nodes/{node}', [ 'Sys.Audit', 'Sys.Modify' ], any => 1],
> },
> protected => 1,
> proxyto => 'node',
> @@ -379,7 +379,7 @@ __PACKAGE__->register_method({
> method => 'GET',
> description => "Get package changelogs.",
> permissions => {
> - check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
> + check => ['perm', '/nodes/{node}', [ 'Sys.Audit', 'Sys.Modify' ], any => 1],
> },
> proxyto => 'node',
> parameters => {
More information about the pve-devel
mailing list