From 570cb018da2e50465efd7b006d0c5f2536f512d0 Mon Sep 17 00:00:00 2001 From: Dominic Black Date: Sun, 4 Jun 2023 16:05:21 +0000 Subject: [PATCH] ipn/localapi: require only read permission for WatchIPNBus (#7798) Allow calls to `WatchIPNBus` to be permformed by clients with Readonly permissions. This brings it in line with the permissions required for `Status`, which also exposes the similar information. This allows clients to get realtime updates about the tailnet in their own applications, without needing to actively poll the `Status` endpoint. Fixes https://github.com/tailscale/tailscale/issues/7797 Signed-off-by: Dominic Black --- ipn/localapi/localapi.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipn/localapi/localapi.go b/ipn/localapi/localapi.go index 28371a45d..e57567ab5 100644 --- a/ipn/localapi/localapi.go +++ b/ipn/localapi/localapi.go @@ -930,8 +930,8 @@ func InUseOtherUserIPNStream(w http.ResponseWriter, r *http.Request, err error) } func (h *Handler) serveWatchIPNBus(w http.ResponseWriter, r *http.Request) { - if !h.PermitWrite { - http.Error(w, "denied", http.StatusForbidden) + if !h.PermitRead { + http.Error(w, "watch ipn bus access denied", http.StatusForbidden) return } f, ok := w.(http.Flusher)