api: disallow some paths for API tokens

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

diff --git a/PVE/API2/AccessControl.pm b/PVE/API2/AccessControl.pm
index 273178d98754ac206b89f42fbee079d49c124571..c6499be87a307d0dab8e347daeafbf6166716aec 100644 (file)
--- a/PVE/API2/AccessControl.pm
+++ b/PVE/API2/AccessControl.pm
@@ -234,6 +234,7 @@ __PACKAGE__->register_method ({
        user => 'world' 
     },
     protected => 1, # else we can't access shadow files
+    allowtoken => 0, # we don't want tokens to create tickets
     description => "Create or verify authentication ticket.",
     parameters => {
        additionalProperties => 0,
@@ -339,6 +340,7 @@ __PACKAGE__->register_method ({
            ],
     },
     protected => 1, # else we can't access shadow files
+    allowtoken => 0, # we don't want tokens to change the regular user password
     description => "Change user password.",
     parameters => {
        additionalProperties => 0,
@@ -470,6 +472,7 @@ __PACKAGE__->register_method ({
            ],
     },
     protected => 1, # else we can't access shadow files
+    allowtoken => 0, # we don't want tokens to change the regular user's TFA settings
     description => "Change user u2f authentication.",
     parameters => {
        additionalProperties => 0,
@@ -594,6 +597,7 @@ __PACKAGE__->register_method({
     method => 'POST',
     permissions => { user => 'all' },
     protected => 1, # else we can't access shadow files
+    allowtoken => 0, # we don't want tokens to access TFA information
     description => 'Finish a u2f challenge.',
     parameters => {
        additionalProperties => 0,