proxmox-mirrors/pve-access-control
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-access-control synced 2025-08-04 09:21:22 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

api: disallow some paths for API tokens

Browse Source 
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
Fabian Grünbichler 2020-01-21 13:54:10 +01:00 committed by Thomas Lamprecht
parent e915e9e454
commit 4937239091
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
PVE/API2/AccessControl.pm
View File

@ -234,6 +234,7 @@ __PACKAGE__->register_method ({
user => 'world'
},
protected => 1, # else we can't access shadow files
allowtoken => 0, # we don't want tokens to create tickets
description => "Create or verify authentication ticket.",
parameters => {
additionalProperties => 0,
@ -339,6 +340,7 @@ __PACKAGE__->register_method ({
],
},
protected => 1, # else we can't access shadow files
allowtoken => 0, # we don't want tokens to change the regular user password
description => "Change user password.",
parameters => {
additionalProperties => 0,
@ -470,6 +472,7 @@ __PACKAGE__->register_method ({
],
},
protected => 1, # else we can't access shadow files
allowtoken => 0, # we don't want tokens to change the regular user's TFA settings
description => "Change user u2f authentication.",
parameters => {
additionalProperties => 0,
@ -594,6 +597,7 @@ __PACKAGE__->register_method({
method => 'POST',
permissions => { user => 'all' },
protected => 1, # else we can't access shadow files
allowtoken => 0, # we don't want tokens to access TFA information
description => 'Finish a u2f challenge.',
parameters => {
additionalProperties => 0,