From 49372390918725b7f8b0d9538ba99a629ae1d885 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Fabian=20Gr=C3=BCnbichler?= Date: Tue, 21 Jan 2020 13:54:10 +0100 Subject: [PATCH] api: disallow some paths for API tokens MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Signed-off-by: Fabian Grünbichler --- PVE/API2/AccessControl.pm | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/PVE/API2/AccessControl.pm b/PVE/API2/AccessControl.pm index 273178d..c6499be 100644 --- a/PVE/API2/AccessControl.pm +++ b/PVE/API2/AccessControl.pm @@ -234,6 +234,7 @@ __PACKAGE__->register_method ({ user => 'world' }, protected => 1, # else we can't access shadow files + allowtoken => 0, # we don't want tokens to create tickets description => "Create or verify authentication ticket.", parameters => { additionalProperties => 0, @@ -339,6 +340,7 @@ __PACKAGE__->register_method ({ ], }, protected => 1, # else we can't access shadow files + allowtoken => 0, # we don't want tokens to change the regular user password description => "Change user password.", parameters => { additionalProperties => 0, @@ -470,6 +472,7 @@ __PACKAGE__->register_method ({ ], }, protected => 1, # else we can't access shadow files + allowtoken => 0, # we don't want tokens to change the regular user's TFA settings description => "Change user u2f authentication.", parameters => { additionalProperties => 0, @@ -594,6 +597,7 @@ __PACKAGE__->register_method({ method => 'POST', permissions => { user => 'all' }, protected => 1, # else we can't access shadow files + allowtoken => 0, # we don't want tokens to access TFA information description => 'Finish a u2f challenge.', parameters => { additionalProperties => 0, -- 2.39.2