Am 17.02.25 um 13:19 schrieb Daniel Kral:
> Relax the required permissions to query the current list of available
> package updates and the changelog of a package on a node. Both API
> endpoints do not modify any system state except caching outputs.
>
> Those were probably only "Sys.Modify" before, since both are used in
> conjunction with upgrading packages in the WebGUI, which is only visible
> with that permission, but some users might be interested in this
> information outside of this and/or without being able to upgrade.
>
> Keep Sys.Modify for backwards compatibility.
>
> Signed-off-by: Daniel Kral <d.k...@proxmox.com>
The 'changelog' endpoint does trigger the download of the changelog of
course, but I fail to see how that could be abused for anything, so:
Reviewed-by: Fiona Ebner <f.eb...@proxmox.com>
> ---
> PVE/API2/APT.pm | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/PVE/API2/APT.pm b/PVE/API2/APT.pm
> index 47c50961..2a1de1e6 100644
> --- a/PVE/API2/APT.pm
> +++ b/PVE/API2/APT.pm
> @@ -202,7 +202,7 @@ __PACKAGE__->register_method({
> method => 'GET',
> description => "List available updates.",
> permissions => {
> - check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
> + check => ['perm', '/nodes/{node}', [ 'Sys.Audit', 'Sys.Modify' ], any
> => 1],
> },
> protected => 1,
> proxyto => 'node',
> @@ -379,7 +379,7 @@ __PACKAGE__->register_method({
> method => 'GET',
> description => "Get package changelogs.",
> permissions => {
> - check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
> + check => ['perm', '/nodes/{node}', [ 'Sys.Audit', 'Sys.Modify' ], any
> => 1],
> },
> proxyto => 'node',
> parameters => {
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
