From 7af404b2016856992669f4f6ac3ce8543edd227b Mon Sep 17 00:00:00 2001 From: =?utf8?q?Fabian=20Gr=C3=BCnbichler?= Date: Tue, 21 Jan 2020 13:54:22 +0100 Subject: [PATCH] rest_handler: implement 'allowtoken' property MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit to filter out API paths that are not available with API tokens for security reasons, such as access control related endpoints. Signed-off-by: Fabian Grünbichler --- PVE/HTTPServer.pm | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/PVE/HTTPServer.pm b/PVE/HTTPServer.pm index 65f3a1d8..7859081b 100755 --- a/PVE/HTTPServer.pm +++ b/PVE/HTTPServer.pm @@ -7,7 +7,7 @@ use PVE::SafeSyslog; use PVE::INotify; use PVE::Tools; use PVE::APIServer::AnyEvent; -use PVE::Exception qw(raise_param_exc raise); +use PVE::Exception qw(raise_param_exc raise_perm_exc raise); use PVE::RPCEnvironment; use PVE::AccessControl; @@ -148,6 +148,9 @@ sub rest_handler { $uri_param->{$p} = $params->{$p}; } + raise_perm_exc("URI '$rel_uri' not available with API token, need proper ticket.\n") + if $auth->{api_token} && !$info->{allowtoken}; + # check access permissions $rpcenv->check_api2_permissions($info->{permissions}, $auth->{userid}, $uri_param); -- 2.39.5