From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 98A921FF16B for ; Thu, 31 Oct 2024 14:46:44 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 57F70AB5B; Thu, 31 Oct 2024 14:46:43 +0100 (CET) From: Daniel Kral To: pve-devel@lists.proxmox.com Date: Thu, 31 Oct 2024 14:46:28 +0100 Message-Id: <20241031134629.144893-3-d.kral@proxmox.com> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20241031134629.144893-1-d.kral@proxmox.com> References: <20241031134629.144893-1-d.kral@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.000 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pve-devel] [PATCH manager 3/4] fix #5722: ui: api token: allow unprivileged users to create their own api tokens X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" Since `48a66a12ee19a8d14e92827623aa005c2ab2c06c` (ui: api token: rewrite), the TokenEdit edit modal is prefilled with the userid, which is currently logged in. The selector items in Proxmox.form.UserSelector used in the TokenEdit component are filled from the `/access/users` API endpoint, therefore the user selection is restricted to which the user has "Sys.Audit" or "User.Modify" permissions and the current authenticated user themselves. Therefore, the button can be accessible to unprivileged users as well. This change allows users without the "User.Modify" permission to add API tokens, since this is already allowed by the API endpoint `/access/users/{userid}/token/{tokenid}`. Signed-off-by: Daniel Kral --- www/manager6/dc/TokenView.js | 1 - 1 file changed, 1 deletion(-) diff --git a/www/manager6/dc/TokenView.js b/www/manager6/dc/TokenView.js index 7d6d4274..d275a1c5 100644 --- a/www/manager6/dc/TokenView.js +++ b/www/manager6/dc/TokenView.js @@ -74,7 +74,6 @@ Ext.define('PVE.dc.TokenView', { let tbar = [ { text: gettext('Add'), - disabled: !caps.access['User.Modify'], handler: function(btn, e) { let data = {}; let win = Ext.create('PVE.dc.TokenEdit', { -- 2.39.5 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel