when a user is disabled, we do not touch any ACLs, and already issued
tickets are still valid (until their expiration time)
check directly after the verification of the ticket if the user
is still enabled, so that any api call fails for that user
Signed-off-by: Dominik Csapak <d.csa...@proxmox.com>
---
i did not find any information if this was the desired behaviour,
but i found it wrong to still let disabled users access the api
this would also come in handy for my proposed ldap sync, since
we could modify the user.cfg parser to not touch acls for not existing
users, as this check also fails when the user does not exist
PVE/HTTPServer.pm | 1 +
1 file changed, 1 insertion(+)
diff --git a/PVE/HTTPServer.pm b/PVE/HTTPServer.pm
index 7859081b..39ec1f0b 100755
--- a/PVE/HTTPServer.pm
+++ b/PVE/HTTPServer.pm
@@ -85,6 +85,7 @@ sub auth_handler {
die "No ticket\n" if !$ticket;
($username, $age, my $tfa_info) =
PVE::AccessControl::verify_ticket($ticket);
+ $rpcenv->check_user_enabled($username);
if (defined($tfa_info)) {
if (defined(my $challenge = $tfa_info->{challenge})) {
--
2.20.1
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
