* [pmg-devel] [PATCH pmg-api v2] fix #5438: api: mimetypes: allow admin users
@ 2025-09-23 9:26 Stoiko Ivanov
2025-09-23 9:39 ` [pmg-devel] applied: " Thomas Lamprecht
0 siblings, 1 reply; 2+ messages in thread
From: Stoiko Ivanov @ 2025-09-23 9:26 UTC (permalink / raw)
To: pmg-devel
The list of mime-types recognized by the system is not really
sensitive information. The call itself reads a directory from disk,
which technically has a potential for causing load (but that should be
cached after the first read).
Allowing it for all authenticated backend users should be ok.
The issue itself is fixed by allowing all 'admin' users to
access it, as they are the ones who can edit what-objects (where this
is queried).
To err on the cautious side the patch still only allows admin users.
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
v1->v2:
* fixed the commit-message (the patch originally allowed all roles, but
I decided to change that after writing the initial commit-message)
src/PMG/API2/MimeTypes.pm | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/PMG/API2/MimeTypes.pm b/src/PMG/API2/MimeTypes.pm
index f18879fc..688c68eb 100644
--- a/src/PMG/API2/MimeTypes.pm
+++ b/src/PMG/API2/MimeTypes.pm
@@ -73,6 +73,7 @@ __PACKAGE__->register_method({
path => '',
method => 'GET',
description => "Get Mime Types List",
+ permissions => { check => ['admin'] },
parameters => {
additionalProperties => 0,
},
--
2.39.5
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
* [pmg-devel] applied: [PATCH pmg-api v2] fix #5438: api: mimetypes: allow admin users
2025-09-23 9:26 [pmg-devel] [PATCH pmg-api v2] fix #5438: api: mimetypes: allow admin users Stoiko Ivanov
@ 2025-09-23 9:39 ` Thomas Lamprecht
0 siblings, 0 replies; 2+ messages in thread
From: Thomas Lamprecht @ 2025-09-23 9:39 UTC (permalink / raw)
To: pmg-devel, Stoiko Ivanov
On Tue, 23 Sep 2025 11:26:11 +0200, Stoiko Ivanov wrote:
> The list of mime-types recognized by the system is not really
> sensitive information. The call itself reads a directory from disk,
> which technically has a potential for causing load (but that should be
> cached after the first read).
>
> Allowing it for all authenticated backend users should be ok.
>
> [...]
Applied, thanks!
Reworded the commit message a bit to avoid a few redundant mentionings of
allowing it only for admins and the "Allowing it for all authenticated backend
users should be ok." was IMO slightly confusing, as it sorta implied to me that
this is the route you go, while then again mentioning admin-only in the next
paragraph. Anyhow, certainly somewhat nitpicking but tried to avoid that tiny
confusion potential.
[1/1] fix #5438: api: mimetypes: allow admin users
commit: da0e939b2c7913f90413f928ccc1eaa9c3bb70bd
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-09-23 9:59 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-09-23 9:26 [pmg-devel] [PATCH pmg-api v2] fix #5438: api: mimetypes: allow admin users Stoiko Ivanov
2025-09-23 9:39 ` [pmg-devel] applied: " Thomas Lamprecht
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.