From: Christoph Heiss <c.heiss@proxmox.com>
To: pdm-devel@lists.proxmox.com
Subject: [PATCH datacenter-manager] api: certificates: require only AUDIT for listing certificate info
Date: Fri, 22 May 2026 11:53:01 +0200 [thread overview]
Message-ID: <20260522100231.216439-1-c.heiss@proxmox.com> (raw)
No need to have listing endpoint require MODIFY permissions.
Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Had a brief discussion with Shannon about this - the endpoint could
probably be even public, not requiring any particular permissions?
Since certificate information isn't private (by definition) anyway.
Or are there plans to eventually add support for having multiple
certificates or something? In which case it *might* be useful to have
not public.
Happy to send a patch for that too, but wanted to quickly discuss it
beforehand.
server/src/api/nodes/certificates.rs | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/server/src/api/nodes/certificates.rs b/server/src/api/nodes/certificates.rs
index 47aef7a..fc12e47 100644
--- a/server/src/api/nodes/certificates.rs
+++ b/server/src/api/nodes/certificates.rs
@@ -13,7 +13,7 @@ use proxmox_acme_api::{AcmeDomain, CertificateInfo};
use proxmox_rest_server::WorkerTask;
use proxmox_schema::api_types::NODE_SCHEMA;
-use pdm_api_types::PRIV_SYS_MODIFY;
+use pdm_api_types::{PRIV_SYS_AUDIT, PRIV_SYS_MODIFY};
use crate::auth::certs::{API_CERT_FN, API_KEY_FN};
@@ -60,7 +60,7 @@ fn get_certificate_info() -> Result<CertificateInfo, Error> {
},
},
access: {
- permission: &Permission::Privilege(&["system", "certificates"], PRIV_SYS_MODIFY, false),
+ permission: &Permission::Privilege(&["system", "certificates"], PRIV_SYS_AUDIT, false),
},
returns: {
type: Array,
--
2.53.0
next reply other threads:[~2026-05-22 10:03 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-22 9:53 Christoph Heiss [this message]
2026-05-22 14:12 ` applied: [PATCH datacenter-manager] api: certificates: require only AUDIT for listing certificate info Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260522100231.216439-1-c.heiss@proxmox.com \
--to=c.heiss@proxmox.com \
--cc=pdm-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.