[pve-devel] [PATCH manager] check if user is enabled after verifying a ticket
Dominik Csapak
d.csapak at proxmox.com
Thu Mar 12 15:09:21 CET 2020
when a user is disabled, we do not touch any ACLs, and already issued
tickets are still valid (until their expiration time)
check directly after the verification of the ticket if the user
is still enabled, so that any api call fails for that user
Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
i did not find any information if this was the desired behaviour,
but i found it wrong to still let disabled users access the api
this would also come in handy for my proposed ldap sync, since
we could modify the user.cfg parser to not touch acls for not existing
users, as this check also fails when the user does not exist
PVE/HTTPServer.pm | 1 +
1 file changed, 1 insertion(+)
diff --git a/PVE/HTTPServer.pm b/PVE/HTTPServer.pm
index 7859081b..39ec1f0b 100755
--- a/PVE/HTTPServer.pm
+++ b/PVE/HTTPServer.pm
@@ -85,6 +85,7 @@ sub auth_handler {
die "No ticket\n" if !$ticket;
($username, $age, my $tfa_info) = PVE::AccessControl::verify_ticket($ticket);
+ $rpcenv->check_user_enabled($username);
if (defined($tfa_info)) {
if (defined(my $challenge = $tfa_info->{challenge})) {
--
2.20.1
More information about the pve-devel
mailing list