api: acme meta: require Sys.Audit on the node

As even though restricted to some specific endpoints and formats, one
can still scan HTTP, potentially also on the LAN.

We can do this here as the API call is new and was never packaged
since introduced, so this isn't a breaking change.
The TOS one will be removed with the next major release, so not a
problem anymore from then one.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

diff --git a/PVE/API2/ACMEAccount.pm b/PVE/API2/ACMEAccount.pm
index 93820ec4b99c132283ac5b9e915131e7853947d1..a0d0d773be3e0c9040a91f7a896fad864f492f6e 100644 (file)
--- a/PVE/API2/ACMEAccount.pm
+++ b/PVE/API2/ACMEAccount.pm
@@ -371,7 +371,9 @@ __PACKAGE__->register_method ({
     path => 'meta',
     method => 'GET',
     description => "Retrieve ACME Directory Meta Information",
-    permissions => { user => 'all' },
+    permissions => {
+       check => ['perm', '/nodes/{node}', [ 'Sys.Audit' ]],
+    },
     parameters => {
        additionalProperties => 0,
        properties => {