From 6430a990988ee4b874a2c16845d683a3d67aaaad Mon Sep 17 00:00:00 2001
From: Christian Lindig <christian.lindig@citrix.com>
Date: Thu, 25 Oct 2018 11:41:11 +0100
Subject: [PATCH] CA-300115 lower VM.assert_operation_valid permissions

Set the permissions for VM.assert_operation_valid to READ_ONLY as this
call doesn't mutate anything and does not reveal critical information.

Signed-off-by: Christian Lindig <christian.lindig@citrix.com>
---
 ocaml/idl/datamodel_vm.ml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ocaml/idl/datamodel_vm.ml b/ocaml/idl/datamodel_vm.ml
index 8092c0cd6ce..6f1ef9701ca 100644
--- a/ocaml/idl/datamodel_vm.ml
+++ b/ocaml/idl/datamodel_vm.ml
@@ -1209,7 +1209,7 @@ let assert_operation_valid = call
     ~doc:"Check to see whether this operation is acceptable in the current state of the system, raising an error if the operation is invalid for some reason"
     ~params:[Ref _vm, _self, "reference to the object";
              operations, "op", "proposed operation" ]
-    ~allowed_roles:_R_POOL_ADMIN
+    ~allowed_roles:_R_READ_ONLY
     ()
 
 let update_allowed_operations = call