api: tfa: don't block tokens from viewing and list TFA entries

The `allowtoken` property is a total, unconditional block on using API tokens on an endpoint. We reserve those only for a limited set of security critical endpoints like changing passwords or second factors, or creating a (cookie) ticket, which are exempt from this limitations, so require to have limited access to them too. Anyhow, listing and getting TFA entries for users, where the API token has the correct permissions granted, is not critical, as the API token cannot gain more permissions than they have from that info, so drop the total block on those GET methods. Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2025-08-10 10:57:14 +00:00 · 2023-06-15 09:23:33 +02:00 · 2023-06-15 09:23:33 +02:00 · 79c9d3b84b
commit 79c9d3b84b
parent 329780350c
1 changed files with 0 additions and 3 deletions
--- a/src/PVE/API2/TFA.pm
+++ b/src/PVE/API2/TFA.pm
@ -163,7 +163,6 @@ __PACKAGE__->register_method ({
 	],
    },
    protected => 1, # else we can't access shadow files
-    allowtoken => 0, # we don't want tokens to change the regular user's TFA settings
    description => 'List TFA configurations of users.',
    parameters => {
 	additionalProperties => 0,
@ -195,7 +194,6 @@ __PACKAGE__->register_method ({
 	],
    },
    protected => 1, # else we can't access shadow files
-    allowtoken => 0, # we don't want tokens to change the regular user's TFA settings
    description => 'Fetch a requested TFA entry if present.',
    parameters => {
 	additionalProperties => 0,
@ -270,7 +268,6 @@ __PACKAGE__->register_method ({
 	user => 'all',
    },
    protected => 1, # else we can't access shadow files
-    allowtoken => 0, # we don't want tokens to change the regular user's TFA settings
    description => 'List TFA configurations of users.',
    parameters => {
 	additionalProperties => 0,