From 79c9d3b84b4d8ea88d432810ecea26f477077428 Mon Sep 17 00:00:00 2001 From: Thomas Lamprecht Date: Thu, 15 Jun 2023 09:23:33 +0200 Subject: [PATCH] api: tfa: don't block tokens from viewing and list TFA entries The `allowtoken` property is a total, unconditional block on using API tokens on an endpoint. We reserve those only for a limited set of security critical endpoints like changing passwords or second factors, or creating a (cookie) ticket, which are exempt from this limitations, so require to have limited access to them too. Anyhow, listing and getting TFA entries for users, where the API token has the correct permissions granted, is not critical, as the API token cannot gain more permissions than they have from that info, so drop the total block on those GET methods. Signed-off-by: Thomas Lamprecht --- src/PVE/API2/TFA.pm | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/PVE/API2/TFA.pm b/src/PVE/API2/TFA.pm index 7b3f53d..62b9653 100644 --- a/src/PVE/API2/TFA.pm +++ b/src/PVE/API2/TFA.pm @@ -163,7 +163,6 @@ __PACKAGE__->register_method ({ ], }, protected => 1, # else we can't access shadow files - allowtoken => 0, # we don't want tokens to change the regular user's TFA settings description => 'List TFA configurations of users.', parameters => { additionalProperties => 0, @@ -195,7 +194,6 @@ __PACKAGE__->register_method ({ ], }, protected => 1, # else we can't access shadow files - allowtoken => 0, # we don't want tokens to change the regular user's TFA settings description => 'Fetch a requested TFA entry if present.', parameters => { additionalProperties => 0, @@ -270,7 +268,6 @@ __PACKAGE__->register_method ({ user => 'all', }, protected => 1, # else we can't access shadow files - allowtoken => 0, # we don't want tokens to change the regular user's TFA settings description => 'List TFA configurations of users.', parameters => { additionalProperties => 0,