From: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Date: Tue, 21 Jan 2020 12:54:10 +0000 (+0100)
Subject: api: disallow some paths for API tokens
X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=commitdiff_plain;h=49372390918725b7f8b0d9538ba99a629ae1d885

api: disallow some paths for API tokens

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---

diff --git a/PVE/API2/AccessControl.pm b/PVE/API2/AccessControl.pm
index 273178d..c6499be 100644
--- a/PVE/API2/AccessControl.pm
+++ b/PVE/API2/AccessControl.pm
@@ -234,6 +234,7 @@ __PACKAGE__->register_method ({
 	user => 'world' 
     },
     protected => 1, # else we can't access shadow files
+    allowtoken => 0, # we don't want tokens to create tickets
     description => "Create or verify authentication ticket.",
     parameters => {
 	additionalProperties => 0,
@@ -339,6 +340,7 @@ __PACKAGE__->register_method ({
 	    ],
     },
     protected => 1, # else we can't access shadow files
+    allowtoken => 0, # we don't want tokens to change the regular user password
     description => "Change user password.",
     parameters => {
 	additionalProperties => 0,
@@ -470,6 +472,7 @@ __PACKAGE__->register_method ({
 	    ],
     },
     protected => 1, # else we can't access shadow files
+    allowtoken => 0, # we don't want tokens to change the regular user's TFA settings
     description => "Change user u2f authentication.",
     parameters => {
 	additionalProperties => 0,
@@ -594,6 +597,7 @@ __PACKAGE__->register_method({
     method => 'POST',
     permissions => { user => 'all' },
     protected => 1, # else we can't access shadow files
+    allowtoken => 0, # we don't want tokens to access TFA information
     description => 'Finish a u2f challenge.',
     parameters => {
 	additionalProperties => 0,