command: "update" and "rescan" need only "CONTROL" permission

From http://bugs.debian.org/513291

 "In mpd.conf, the "admin" permission covers updating the db and
 killing mpd.

 "Since there are quite some usecases in which the user can upload
 music to the mpd's directory by means of anonymous FTP or so, it is
 desirable that any user may issue a db update, while killing the mpd
 should not be possible.

 "I'd suggest to remove the db update from the admin group and either
 add it to "control" or an own group."

2 files changed, 3 insertions, 2 deletions

diff --git a/NEWS b/NEWS
index a5bcb033b..356d06f6b 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,7 @@
 ver 0.17 (2011/??/??)
 * protocol:
   - support client-to-client communication
+  - "update" and "rescan" need only "CONTROL" permission
 * input:
   - cdio_paranoia: new input plugin to play audio CDs
   - curl: enable CURLOPT_NETRC
diff --git a/src/command.c b/src/command.c
index aeed55a1b..03d48a38a 100644
--- a/src/command.c
+++ b/src/command.c
@@ -2070,7 +2070,7 @@ static const struct command commands[] = {
 	  handle_replay_gain_mode },
 	{ "replay_gain_status", PERMISSION_READ, 0, 0,
 	  handle_replay_gain_status },
-	{ "rescan", PERMISSION_ADMIN, 0, 1, handle_rescan },
+	{ "rescan", PERMISSION_CONTROL, 0, 1, handle_rescan },
 	{ "rm", PERMISSION_CONTROL, 1, 1, handle_rm },
 	{ "save", PERMISSION_CONTROL, 1, 1, handle_save },
 	{ "search", PERMISSION_READ, 2, -1, handle_search },
@@ -2091,7 +2091,7 @@ static const struct command commands[] = {
 	{ "swapid", PERMISSION_CONTROL, 2, 2, handle_swapid },
 	{ "tagtypes", PERMISSION_READ, 0, 0, handle_tagtypes },
 	{ "unsubscribe", PERMISSION_READ, 1, 1, handle_unsubscribe },
-	{ "update", PERMISSION_ADMIN, 0, 1, handle_update },
+	{ "update", PERMISSION_CONTROL, 0, 1, handle_update },
 	{ "urlhandlers", PERMISSION_READ, 0, 0, handle_urlhandlers },
 };