From b091264c0a8857d02771286b47ec46c2d5be36bc Mon Sep 17 00:00:00 2001
From: Brad Fitzpatrick <bradfitz@tailscale.com>
Date: Fri, 23 Aug 2024 08:34:36 -0700
Subject: [PATCH] cmd/systray: set ipn.NotifyNoPrivateKeys, permit non-operator
 use

Otherwise you get "Access denied: watch IPN bus access denied, must
set ipn.NotifyNoPrivateKeys when not running as admin/root or
operator".

This lets a non-operator at least start the app and see the status, even
if they can't change everything. (the web UI is unaffected by operator)

A future change can add a LocalAPI call to check permissions and guide
people through adding a user as an operator (perhaps the web client
can do that?)

Updates #1708

Change-Id: I699e035a251b4ebe14385102d5e7a2993424c4b7
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
---
 cmd/systray/systray.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmd/systray/systray.go b/cmd/systray/systray.go
index 623caabc4..9276ad99e 100644
--- a/cmd/systray/systray.go
+++ b/cmd/systray/systray.go
@@ -180,7 +180,7 @@ func (menu *Menu) eventLoop(ctx context.Context) {
 // watchIPNBus subscribes to the tailscale event bus and sends state updates to chState.
 // This method does not return.
 func watchIPNBus(ctx context.Context) {
-	watcher, err := localClient.WatchIPNBus(ctx, ipn.NotifyInitialState)
+	watcher, err := localClient.WatchIPNBus(ctx, ipn.NotifyInitialState|ipn.NotifyNoPrivateKeys)
 	if err != nil {
 		log.Printf("watching ipn bus: %v", err)
 	}