From 2abad0f479e434b741d9564bf6b9afc95d7e5891 Mon Sep 17 00:00:00 2001 From: Max Kellermann Date: Sun, 27 Feb 2011 23:35:00 +0100 Subject: command: "update" and "rescan" need only "CONTROL" permission From http://bugs.debian.org/513291 "In mpd.conf, the "admin" permission covers updating the db and killing mpd. "Since there are quite some usecases in which the user can upload music to the mpd's directory by means of anonymous FTP or so, it is desirable that any user may issue a db update, while killing the mpd should not be possible. "I'd suggest to remove the db update from the admin group and either add it to "control" or an own group." --- NEWS | 1 + src/command.c | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index a5bcb033b..356d06f6b 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,7 @@ ver 0.17 (2011/??/??) * protocol: - support client-to-client communication + - "update" and "rescan" need only "CONTROL" permission * input: - cdio_paranoia: new input plugin to play audio CDs - curl: enable CURLOPT_NETRC diff --git a/src/command.c b/src/command.c index aeed55a1b..03d48a38a 100644 --- a/src/command.c +++ b/src/command.c @@ -2070,7 +2070,7 @@ static const struct command commands[] = { handle_replay_gain_mode }, { "replay_gain_status", PERMISSION_READ, 0, 0, handle_replay_gain_status }, - { "rescan", PERMISSION_ADMIN, 0, 1, handle_rescan }, + { "rescan", PERMISSION_CONTROL, 0, 1, handle_rescan }, { "rm", PERMISSION_CONTROL, 1, 1, handle_rm }, { "save", PERMISSION_CONTROL, 1, 1, handle_save }, { "search", PERMISSION_READ, 2, -1, handle_search }, @@ -2091,7 +2091,7 @@ static const struct command commands[] = { { "swapid", PERMISSION_CONTROL, 2, 2, handle_swapid }, { "tagtypes", PERMISSION_READ, 0, 0, handle_tagtypes }, { "unsubscribe", PERMISSION_READ, 1, 1, handle_unsubscribe }, - { "update", PERMISSION_ADMIN, 0, 1, handle_update }, + { "update", PERMISSION_CONTROL, 0, 1, handle_update }, { "urlhandlers", PERMISSION_READ, 0, 0, handle_urlhandlers }, }; -- cgit v1.2.3