On 3/12/20 3:09 PM, Dominik Csapak wrote:
> when a user is disabled, we do not touch any ACLs, and already issued
> tickets are still valid (until their expiration time)
>
> check directly after the verification of the ticket if the user
> is still enabled, so that any api call fails for that user
>
> Signed-off-by: Dominik Csapak <d.csa...@proxmox.com>
> ---
> i did not find any information if this was the desired behaviour,
> but i found it wrong to still let disabled users access the api
>
> this would also come in handy for my proposed ldap sync, since
> we could modify the user.cfg parser to not touch acls for not existing
> users, as this check also fails when the user does not exist
>
> PVE/HTTPServer.pm | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/PVE/HTTPServer.pm b/PVE/HTTPServer.pm
> index 7859081b..39ec1f0b 100755
> --- a/PVE/HTTPServer.pm
> +++ b/PVE/HTTPServer.pm
> @@ -85,6 +85,7 @@ sub auth_handler {
> die "No ticket\n" if !$ticket;
>
> ($username, $age, my $tfa_info) =
> PVE::AccessControl::verify_ticket($ticket);
> + $rpcenv->check_user_enabled($username);
>
> if (defined($tfa_info)) {
> if (defined(my $challenge = $tfa_info->{challenge})) {
>
applied, thanks. nice find!
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
