From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 3937B1FF191 for ; Tue, 23 Sep 2025 11:25:51 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 1D28F8F9C; Tue, 23 Sep 2025 11:26:21 +0200 (CEST) From: Stoiko Ivanov To: pmg-devel@lists.proxmox.com Date: Tue, 23 Sep 2025 11:26:11 +0200 Message-Id: <20250923092611.5058-1-s.ivanov@proxmox.com> X-Mailer: git-send-email 2.39.5 MIME-Version: 1.0 X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1758619565422 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.071 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pmg-devel] [PATCH pmg-api v2] fix #5438: api: mimetypes: allow admin users X-BeenThere: pmg-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Mail Gateway development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pmg-devel-bounces@lists.proxmox.com Sender: "pmg-devel" The list of mime-types recognized by the system is not really sensitive information. The call itself reads a directory from disk, which technically has a potential for causing load (but that should be cached after the first read). Allowing it for all authenticated backend users should be ok. The issue itself is fixed by allowing all 'admin' users to access it, as they are the ones who can edit what-objects (where this is queried). To err on the cautious side the patch still only allows admin users. Signed-off-by: Stoiko Ivanov --- v1->v2: * fixed the commit-message (the patch originally allowed all roles, but I decided to change that after writing the initial commit-message) src/PMG/API2/MimeTypes.pm | 1 + 1 file changed, 1 insertion(+) diff --git a/src/PMG/API2/MimeTypes.pm b/src/PMG/API2/MimeTypes.pm index f18879fc..688c68eb 100644 --- a/src/PMG/API2/MimeTypes.pm +++ b/src/PMG/API2/MimeTypes.pm @@ -73,6 +73,7 @@ __PACKAGE__->register_method({ path => '', method => 'GET', description => "Get Mime Types List", + permissions => { check => ['admin'] }, parameters => { additionalProperties => 0, }, -- 2.39.5 _______________________________________________ pmg-devel mailing list pmg-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel