api: tfa: don't block tokens from viewing and list TFA entries

The `allowtoken` property is a total, unconditional block on using
API tokens on an endpoint. We reserve those only for a limited set of
security critical endpoints like changing passwords or second
factors, or creating a (cookie) ticket, which are exempt from this
limitations, so require to have limited access to them too.

Anyhow, listing and getting TFA entries for users, where the API
token has the correct permissions granted, is not critical, as the
API token cannot gain more permissions than they have from that
info, so drop the total block on those GET methods.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

diff --git a/src/PVE/API2/TFA.pm b/src/PVE/API2/TFA.pm
index 7b3f53d2662124ec792ab94dcfa965d423b87a2a..62b9653e24487ac03668c97a91b47b1ecdba4949 100644 (file)
--- a/src/PVE/API2/TFA.pm
+++ b/src/PVE/API2/TFA.pm
@@ -163,7 +163,6 @@ __PACKAGE__->register_method ({
        ],
     },
     protected => 1, # else we can't access shadow files
-    allowtoken => 0, # we don't want tokens to change the regular user's TFA settings
     description => 'List TFA configurations of users.',
     parameters => {
        additionalProperties => 0,
@@ -195,7 +194,6 @@ __PACKAGE__->register_method ({
        ],
     },
     protected => 1, # else we can't access shadow files
-    allowtoken => 0, # we don't want tokens to change the regular user's TFA settings
     description => 'Fetch a requested TFA entry if present.',
     parameters => {
        additionalProperties => 0,
@@ -270,7 +268,6 @@ __PACKAGE__->register_method ({
        user => 'all',
     },
     protected => 1, # else we can't access shadow files
-    allowtoken => 0, # we don't want tokens to change the regular user's TFA settings
     description => 'List TFA configurations of users.',
     parameters => {
        additionalProperties => 0,