From 5e673b89f64d28eb453bdb723fea5a0313d2083a Mon Sep 17 00:00:00 2001
From: Martin Raszyk <martin.raszyk@dfinity.org>
Date: Tue, 22 Aug 2023 14:07:35 +0200
Subject: [PATCH] whitelist node paths in read_state requests

---
 spec/index.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/spec/index.md b/spec/index.md
index abde0ae3a..c43b10c9e 100644
--- a/spec/index.md
+++ b/spec/index.md
@@ -667,7 +667,7 @@ All requested paths must have the following form:
 
 -   `/time`. Can always be requested.
 
--   `/subnet`, `/subnet/<subnet_id>`, `/subnet/<subnet_id>/public_key`, `/subnet/<subnet_id>/canister_ranges`. Can always be requested.
+-   `/subnet`, `/subnet/<subnet_id>`, `/subnet/<subnet_id>/public_key`, `/subnet/<subnet_id>/canister_ranges`, `/subnet/<subnet_id>/node`, `/subnet/<subnet_id>/node/<node_id>`, `/subnet/<subnet_id>/node/<node_id>/public_key`. Can always be requested.
 
 -   `/request_status/<request_id>`, `/request_status/<request_id>/status`, `/request_status/<request_id>/reply`, `/request_status/<request_id>/reject_code`, `/request_status/<request_id>/reject_message`, `/request_status/<request_id>/error_code`. Can be requested if no path with such a prefix exists in the state tree or
 
@@ -4740,6 +4740,9 @@ The predicate `may_read_path` is defined as follows, implementing the access con
     may_read_path(S, _, ["subnet", sid]) = True
     may_read_path(S, _, ["subnet", sid, "public_key"]) = True
     may_read_path(S, _, ["subnet", sid, "canister_ranges"]) = True
+    may_read_path(S, _, ["subnet", sid, "node"]) = True
+    may_read_path(S, _, ["subnet", sid, "node", nid]) = True
+    may_read_path(S, _, ["subnet", sid, "node", nid, "public_key"]) = True
     may_read_path(S, _, ["request_status", Rid]) =
     may_read_path(S, _, ["request_status", Rid, "status"]) =
     may_read_path(S, _, ["request_status", Rid, "reply"]) =