* [pmg-devel] [PATCH pmg-api] fix #5438: api: mimetypes: allow all authenticated users
@ 2025-09-23 8:24 Stoiko Ivanov
2025-09-23 9:26 ` [pmg-devel] superseded: " Stoiko Ivanov
0 siblings, 1 reply; 2+ messages in thread
From: Stoiko Ivanov @ 2025-09-23 8:24 UTC (permalink / raw)
To: pmg-devel
The list of mime-types recognized by the system is not really
sensitive information. The call itself reads a directory from disk,
which technically has a potential for causing load (but that should be
cached after the first read).
Allowing it for all authenticated backend users should be ok.
The issue itself is fixed by allowing all 'admin' users to
access it, as they are the ones who can edit what-objects (where this
is queried).
To err on the cautious side the patch still only allows admin users.
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
src/PMG/API2/MimeTypes.pm | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/PMG/API2/MimeTypes.pm b/src/PMG/API2/MimeTypes.pm
index f18879fc..688c68eb 100644
--- a/src/PMG/API2/MimeTypes.pm
+++ b/src/PMG/API2/MimeTypes.pm
@@ -73,6 +73,7 @@ __PACKAGE__->register_method({
path => '',
method => 'GET',
description => "Get Mime Types List",
+ permissions => { check => ['admin'] },
parameters => {
additionalProperties => 0,
},
--
2.39.5
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 2+ messages in thread* [pmg-devel] superseded: [PATCH pmg-api] fix #5438: api: mimetypes: allow all authenticated users
2025-09-23 8:24 [pmg-devel] [PATCH pmg-api] fix #5438: api: mimetypes: allow all authenticated users Stoiko Ivanov
@ 2025-09-23 9:26 ` Stoiko Ivanov
0 siblings, 0 replies; 2+ messages in thread
From: Stoiko Ivanov @ 2025-09-23 9:26 UTC (permalink / raw)
To: pmg-devel
fixed a glitch in the commit message in:
https://lore.proxmox.com/pmg-devel/20250923092611.5058-1-s.ivanov@proxmox.com/T/#u
On Tue, 23 Sep 2025 10:24:31 +0200
Stoiko Ivanov <s.ivanov@proxmox.com> wrote:
> The list of mime-types recognized by the system is not really
> sensitive information. The call itself reads a directory from disk,
> which technically has a potential for causing load (but that should be
> cached after the first read).
>
> Allowing it for all authenticated backend users should be ok.
>
> The issue itself is fixed by allowing all 'admin' users to
> access it, as they are the ones who can edit what-objects (where this
> is queried).
>
> To err on the cautious side the patch still only allows admin users.
>
> Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> ---
>
> src/PMG/API2/MimeTypes.pm | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/src/PMG/API2/MimeTypes.pm b/src/PMG/API2/MimeTypes.pm
> index f18879fc..688c68eb 100644
> --- a/src/PMG/API2/MimeTypes.pm
> +++ b/src/PMG/API2/MimeTypes.pm
> @@ -73,6 +73,7 @@ __PACKAGE__->register_method({
> path => '',
> method => 'GET',
> description => "Get Mime Types List",
> + permissions => { check => ['admin'] },
> parameters => {
> additionalProperties => 0,
> },
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-09-23 9:26 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-09-23 8:24 [pmg-devel] [PATCH pmg-api] fix #5438: api: mimetypes: allow all authenticated users Stoiko Ivanov
2025-09-23 9:26 ` [pmg-devel] superseded: " Stoiko Ivanov
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.