From f0bc95a066b95bc61e8bcc54b8746b6321cf36c5 Mon Sep 17 00:00:00 2001
From: Andrew Lytvynov <awly@tailscale.com>
Date: Thu, 2 Nov 2023 17:01:26 -0600
Subject: [PATCH] ipn/localapi: make serveTKASign require write permission
 (#10094)

The existing read permission check looks like an oversight. Write seems
more appropriate for sining new nodes.

Updates https://github.com/tailscale/corp/issues/15506

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
---
 ipn/localapi/localapi.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipn/localapi/localapi.go b/ipn/localapi/localapi.go
index 83df7ef0e..a8b8a995f 100644
--- a/ipn/localapi/localapi.go
+++ b/ipn/localapi/localapi.go
@@ -1685,8 +1685,8 @@ func (h *Handler) serveTKAStatus(w http.ResponseWriter, r *http.Request) {
 }
 
 func (h *Handler) serveTKASign(w http.ResponseWriter, r *http.Request) {
-	if !h.PermitRead {
-		http.Error(w, "lock status access denied", http.StatusForbidden)
+	if !h.PermitWrite {
+		http.Error(w, "lock sign access denied", http.StatusForbidden)
 		return
 	}
 	if r.Method != httpm.POST {