do not define roles on private endpoints

truenas · Jan 30, 2025 · 29b24ad · 29b24ad
1 parent 711849d
commit 29b24ad
Show file tree

Hide file tree

Showing 5 changed files with 6 additions and 4 deletions.
diff --git a/src/middlewared/middlewared/api/base/decorator.py b/src/middlewared/middlewared/api/base/decorator.py
@@ -95,6 +95,8 @@ def wrapped(*args):
                 return result
 
         if roles:
+            if private:
+                raise ValueError('Private endpoints should not use roles.')
             if not authorization_required or not authentication_required:
                 raise ValueError('Authentication and authorization must be enabled in order to use roles.')
         elif not authentication_required and not authorization_required:

diff --git a/src/middlewared/middlewared/plugins/boot.py b/src/middlewared/middlewared/plugins/boot.py
@@ -204,7 +204,7 @@ async def set_scrub_interval(self, interval):
         )
         return interval
 
-    @api_method(BootUpdateInitramfsArgs, BootUpdateInitramfsResult, roles=['BOOT_ENV_WRITE'], private=True)
+    @api_method(BootUpdateInitramfsArgs, BootUpdateInitramfsResult, private=True)
     async def update_initramfs(self, options):
         """
         Returns true if initramfs was updated and false otherwise.

diff --git a/src/middlewared/middlewared/plugins/boot_/format.py b/src/middlewared/middlewared/plugins/boot_/format.py
@@ -6,7 +6,7 @@
 
 class BootService(Service):
 
-    @api_method(BootFormatArgs, BootFormatResult, roles=['DISK_WRITE'], private=True)
+    @api_method(BootFormatArgs, BootFormatResult, private=True)
     async def format(self, dev, options):
         """
         Format a given disk `dev` using the appropriate partition layout

diff --git a/src/middlewared/middlewared/plugins/rdma/rdma.py b/src/middlewared/middlewared/plugins/rdma/rdma.py
@@ -45,7 +45,7 @@ def get_pci_vpd(self, pci_addr):
                 result['part'] = sline[len(PART_NUMBER_PREFIX):]
         return result
 
-    @api_method(RdmaLinkConfigArgs, RdmaLinkConfigResult, private=True, roles=['NETWORK_INTERFACE_READ'])
+    @api_method(RdmaLinkConfigArgs, RdmaLinkConfigResult, private=True)
     async def get_link_choices(self, all):
         """Return a list containing dictionaries with keys 'rdma' and 'netdev'.
 

diff --git a/src/middlewared/middlewared/plugins/smb.py b/src/middlewared/middlewared/plugins/smb.py
@@ -1325,7 +1325,7 @@ async def validate(self, data, schema_name, verrors, old=None):
                     'This feature may be enabled in the general SMB server configuration.'
                 )
 
-    @api_method(SmbSharePrecheckArgs, SmbSharePrecheckResult, roles=['READONLY_ADMIN'], private=True)
+    @api_method(SmbSharePrecheckArgs, SmbSharePrecheckResult, private=True)
     async def share_precheck(self, data):
         verrors = ValidationErrors()
         ad_enabled = (await self.middleware.call('activedirectory.config'))['enable']