From: Stefan Hanreich <s.hanreich@proxmox.com>
To: Shannon Sterz <s.sterz@proxmox.com>
Cc: Proxmox Datacenter Manager development discussion
<pdm-devel@lists.proxmox.com>
Subject: Re: [pdm-devel] [PATCH datacenter-manager 2/3] fix #6901: api: add explicit permission check for vnets list
Date: Thu, 16 Oct 2025 11:24:11 +0200 [thread overview]
Message-ID: <70b771e4-41f5-4e07-bd46-54da8e9774e8@proxmox.com> (raw)
In-Reply-To: <DDJLG0Y8J5CP.1NMNIMD5ZEYZE@proxmox.com>
On 10/16/25 10:12 AM, Shannon Sterz wrote:
>> we use UNAUTHORIZED instead of FORBIDDEN in other places, so imo would
>> be better to do that here too - same for the other 2 patches as well.
>
> this was already discussed for a previous patch series. UNAUTHORIZED
> there is arguably false, as we usually return a 403 FORBIDDEN when a
> user does not have sufficient permissions (e.g. that's what you get if
> you define permissions through the api macro and a user doesn't have
> them). not a 401 UNAUTHORIZED, which we use to indicate that the user
> has not been authenticated (i.e. no or invalid ticket).
>
> iirc Permission::Anybody above means that anybody that has been
> authenticated can access this endpoint (as opposed to Permission::World,
> which means even unauthenticated users can access it). hence, we know
> the user is authenticated here. so this is fine, but returning 401
> UNAUTHORIZED in those other endpoints is wrong imo.
>
> note that the ui relies on that in many cases: a 401 will trigger the
> login prompt to be shown again, a 403 will simply show an error.
>
makes sense, thanks for clearing this up!
_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel
next prev parent reply other threads:[~2025-10-16 9:24 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-14 15:03 [pdm-devel] [PATCH datacenter-manager 0/3] fix #6901: allow non root users to access the EVPN dashboard Shan Shaji
2025-10-14 15:03 ` [pdm-devel] [PATCH datacenter-manager 1/3] fix #6901: api: add explicit permission check for controllers list Shan Shaji
2025-10-14 15:03 ` [pdm-devel] [PATCH datacenter-manager 2/3] fix #6901: api: add explicit permission check for vnets list Shan Shaji
2025-10-15 15:20 ` Stefan Hanreich
2025-10-16 8:12 ` Shannon Sterz
2025-10-16 9:24 ` Stefan Hanreich [this message]
2025-10-17 11:45 ` Shan Shaji
2025-10-17 13:05 ` Shan Shaji
2025-10-14 15:03 ` [pdm-devel] [PATCH datacenter-manager 3/3] fix #6901: api: add explicit permission check for zones list Shan Shaji
2025-10-15 15:26 ` [pdm-devel] [PATCH datacenter-manager 0/3] fix #6901: allow non root users to access the EVPN dashboard Stefan Hanreich
2025-10-17 11:44 ` Shan Shaji
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=70b771e4-41f5-4e07-bd46-54da8e9774e8@proxmox.com \
--to=s.hanreich@proxmox.com \
--cc=pdm-devel@lists.proxmox.com \
--cc=s.sterz@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.