]> git.proxmox.com Git - pve-access-control.git/blob - PVE/API2/User.pm
projects / pve-access-control.git / blob
? search:


37bc6c078dd9030f344a7bec75f8d9a68557d377
[pve-access-control.git] / PVE / API2 / User.pm
1 package PVE::API2::User;
2
3 use strict;
4 use warnings;
5 use PVE::Exception qw(raise raise_perm_exc raise_param_exc);
6 use PVE::Cluster qw (cfs_read_file cfs_write_file);
7 use PVE::Tools qw(split_list extract_param);
8 use PVE::AccessControl;
9 use PVE::JSONSchema qw(get_standard_option register_standard_option);
10 use PVE::TokenConfig;
11
12 use PVE::SafeSyslog;
13
14 use PVE::RESTHandler;
15
16 use base qw(PVE::RESTHandler);
17
18 register_standard_option('user-enable', {
19 description => "Enable the account (default). You can set this to '0' to disable the account",
20 type => 'boolean',
21 optional => 1,
22 default => 1,
23 });
24 register_standard_option('user-expire', {
25 description => "Account expiration date (seconds since epoch). '0' means no expiration date.",
26 type => 'integer',
27 minimum => 0,
28 optional => 1,
29 });
30 register_standard_option('user-firstname', { type => 'string', optional => 1 });
31 register_standard_option('user-lastname', { type => 'string', optional => 1 });
32 register_standard_option('user-email', { type => 'string', optional => 1, format => 'email-opt' });
33 register_standard_option('user-comment', { type => 'string', optional => 1 });
34 register_standard_option('user-keys', {
35 description => "Keys for two factor auth (yubico).",
36 type => 'string',
37 optional => 1,
38 });
39 register_standard_option('group-list', {
40 type => 'string', format => 'pve-groupid-list',
41 optional => 1,
42 completion => \&PVE::AccessControl::complete_group,
43 });
44 register_standard_option('token-subid', {
45 type => 'string',
46 pattern => $PVE::AccessControl::token_subid_regex,
47 description => 'User-specific token identifier.',
48 });
49 register_standard_option('token-expire', {
50 description => "API token expiration date (seconds since epoch). '0' means no expiration date.",
51 type => 'integer',
52 minimum => 0,
53 optional => 1,
54 default => 'same as user',
55 });
56 register_standard_option('token-privsep', {
57 description => "Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.",
58 type => 'boolean',
59 optional => 1,
60 default => 1,
61 });
62 register_standard_option('token-comment', { type => 'string', optional => 1 });
63 register_standard_option('token-info', {
64 type => 'object',
65 properties => {
66 expire => get_standard_option('token-expire'),
67 privsep => get_standard_option('token-privsep'),
68 comment => get_standard_option('token-comment'),
69 }
70 });
71
72 my $token_info_extend = sub {
73 my ($props) = @_;
74
75 my $obj = get_standard_option('token-info');
76 my $base_props = $obj->{properties};
77 $obj->{properties} = {};
78
79 foreach my $prop (keys %$base_props) {
80 $obj->{properties}->{$prop} = $base_props->{$prop};
81 }
82
83 foreach my $add_prop (keys %$props) {
84 $obj->{properties}->{$add_prop} = $props->{$add_prop};
85 }
86
87 return $obj;
88 };
89
90 my $extract_user_data = sub {
91 my ($data, $full) = @_;
92
93 my $res = {};
94
95 foreach my $prop (qw(enable expire firstname lastname email comment keys)) {
96 $res->{$prop} = $data->{$prop} if defined($data->{$prop});
97 }
98
99 return $res if !$full;
100
101 $res->{groups} = $data->{groups} ? [ keys %{$data->{groups}} ] : [];
102 $res->{tokens} = $data->{tokens};
103
104 return $res;
105 };
106
107 __PACKAGE__->register_method ({
108 name => 'index',
109 path => '',
110 method => 'GET',
111 description => "User index.",
112 permissions => {
113 description => "The returned list is restricted to users where you have 'User.Modify' or 'Sys.Audit' permissions on '/access/groups' or on a group the user belongs too. But it always includes the current (authenticated) user.",
114 user => 'all',
115 },
116 parameters => {
117 additionalProperties => 0,
118 properties => {
119 enabled => {
120 type => 'boolean',
121 description => "Optional filter for enable property.",
122 optional => 1,
123 },
124 full => {
125 type => 'boolean',
126 description => "Include group and token information.",
127 optional => 1,
128 default => 0,
129 }
130 },
131 },
132 returns => {
133 type => 'array',
134 items => {
135 type => "object",
136 properties => {
137 userid => get_standard_option('userid-completed'),
138 enable => get_standard_option('user-enable'),
139 expire => get_standard_option('user-expire'),
140 firstname => get_standard_option('user-firstname'),
141 lastname => get_standard_option('user-lastname'),
142 email => get_standard_option('user-email'),
143 comment => get_standard_option('user-comment'),
144 keys => get_standard_option('user-keys'),
145 groups => get_standard_option('group-list'),
146 tokens => {
147 type => 'array',
148 optional => 1,
149 items => $token_info_extend->({
150 tokenid => get_standard_option('token-subid'),
151 }),
152 }
153 },
154 },
155 links => [ { rel => 'child', href => "{userid}" } ],
156 },
157 code => sub {
158 my ($param) = @_;
159
160 my $rpcenv = PVE::RPCEnvironment::get();
161 my $usercfg = $rpcenv->{user_cfg};
162 my $authuser = $rpcenv->get_user();
163
164 my $res = [];
165
166 my $privs = [ 'User.Modify', 'Sys.Audit' ];
167 my $canUserMod = $rpcenv->check_any($authuser, "/access/groups", $privs, 1);
168 my $groups = $rpcenv->filter_groups($authuser, $privs, 1);
169 my $allowed_users = $rpcenv->group_member_join([keys %$groups]);
170
171 foreach my $user (keys %{$usercfg->{users}}) {
172 if (!($canUserMod || $user eq $authuser)) {
173 next if !$allowed_users->{$user};
174 }
175
176 my $entry = &$extract_user_data($usercfg->{users}->{$user}, $param->{full});
177
178 if (defined($param->{enabled})) {
179 next if $entry->{enable} && !$param->{enabled};
180 next if !$entry->{enable} && $param->{enabled};
181 }
182
183 $entry->{groups} = join(',', @{$entry->{groups}}) if $entry->{groups};
184 $entry->{tokens} = [ map { { tokenid => $_, %{$entry->{tokens}->{$_}} } } sort keys %{$entry->{tokens}} ]
185 if defined($entry->{tokens});
186
187 $entry->{userid} = $user;
188 push @$res, $entry;
189 }
190
191 return $res;
192 }});
193
194 __PACKAGE__->register_method ({
195 name => 'create_user',
196 protected => 1,
197 path => '',
198 method => 'POST',
199 permissions => {
200 description => "You need 'Realm.AllocateUser' on '/access/realm/<realm>' on the realm of user <userid>, and 'User.Modify' permissions to '/access/groups/<group>' for any group specified (or 'User.Modify' on '/access/groups' if you pass no groups.",
201 check => [ 'and',
202 [ 'userid-param', 'Realm.AllocateUser'],
203 [ 'userid-group', ['User.Modify'], groups_param => 1],
204 ],
205 },
206 description => "Create new user.",
207 parameters => {
208 additionalProperties => 0,
209 properties => {
210 userid => get_standard_option('userid-completed'),
211 enable => get_standard_option('user-enable'),
212 expire => get_standard_option('user-expire'),
213 firstname => get_standard_option('user-firstname'),
214 lastname => get_standard_option('user-lastname'),
215 email => get_standard_option('user-email'),
216 comment => get_standard_option('user-comment'),
217 keys => get_standard_option('user-keys'),
218 password => {
219 description => "Initial password.",
220 type => 'string',
221 optional => 1,
222 minLength => 5,
223 maxLength => 64
224 },
225 groups => get_standard_option('group-list'),
226 },
227 },
228 returns => { type => 'null' },
229 code => sub {
230 my ($param) = @_;
231
232 PVE::AccessControl::lock_user_config(
233 sub {
234
235 my ($username, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid});
236
237 my $usercfg = cfs_read_file("user.cfg");
238
239 die "user '$username' already exists\n"
240 if $usercfg->{users}->{$username};
241
242 PVE::AccessControl::domain_set_password($realm, $ruid, $param->{password})
243 if defined($param->{password});
244
245 my $enable = defined($param->{enable}) ? $param->{enable} : 1;
246 $usercfg->{users}->{$username} = { enable => $enable };
247 $usercfg->{users}->{$username}->{expire} = $param->{expire} if $param->{expire};
248
249 if ($param->{groups}) {
250 foreach my $group (split_list($param->{groups})) {
251 if ($usercfg->{groups}->{$group}) {
252 PVE::AccessControl::add_user_group($username, $usercfg, $group);
253 } else {
254 die "no such group '$group'\n";
255 }
256 }
257 }
258
259 $usercfg->{users}->{$username}->{firstname} = $param->{firstname} if $param->{firstname};
260 $usercfg->{users}->{$username}->{lastname} = $param->{lastname} if $param->{lastname};
261 $usercfg->{users}->{$username}->{email} = $param->{email} if $param->{email};
262 $usercfg->{users}->{$username}->{comment} = $param->{comment} if $param->{comment};
263 $usercfg->{users}->{$username}->{keys} = $param->{keys} if $param->{keys};
264
265 cfs_write_file("user.cfg", $usercfg);
266 }, "create user failed");
267
268 return undef;
269 }});
270
271 __PACKAGE__->register_method ({
272 name => 'read_user',
273 path => '{userid}',
274 method => 'GET',
275 description => "Get user configuration.",
276 permissions => {
277 check => ['userid-group', ['User.Modify', 'Sys.Audit']],
278 },
279 parameters => {
280 additionalProperties => 0,
281 properties => {
282 userid => get_standard_option('userid-completed'),
283 },
284 },
285 returns => {
286 additionalProperties => 0,
287 properties => {
288 enable => get_standard_option('user-enable'),
289 expire => get_standard_option('user-expire'),
290 firstname => get_standard_option('user-firstname'),
291 lastname => get_standard_option('user-lastname'),
292 email => get_standard_option('user-email'),
293 comment => get_standard_option('user-comment'),
294 keys => get_standard_option('user-keys'),
295 groups => {
296 type => 'array',
297 items => {
298 type => 'string',
299 format => 'pve-groupid',
300 },
301 },
302 tokens => {
303 type => 'object',
304 },
305 },
306 type => "object"
307 },
308 code => sub {
309 my ($param) = @_;
310
311 my ($username, undef, $domain) =
312 PVE::AccessControl::verify_username($param->{userid});
313
314 my $usercfg = cfs_read_file("user.cfg");
315
316 my $data = PVE::AccessControl::check_user_exist($usercfg, $username);
317
318 return &$extract_user_data($data, 1);
319 }});
320
321 __PACKAGE__->register_method ({
322 name => 'update_user',
323 protected => 1,
324 path => '{userid}',
325 method => 'PUT',
326 permissions => {
327 check => ['userid-group', ['User.Modify'], groups_param => 1 ],
328 },
329 description => "Update user configuration.",
330 parameters => {
331 additionalProperties => 0,
332 properties => {
333 userid => get_standard_option('userid-completed'),
334 enable => get_standard_option('user-enable'),
335 expire => get_standard_option('user-expire'),
336 firstname => get_standard_option('user-firstname'),
337 lastname => get_standard_option('user-lastname'),
338 email => get_standard_option('user-email'),
339 comment => get_standard_option('user-comment'),
340 keys => get_standard_option('user-keys'),
341 groups => get_standard_option('group-list'),
342 append => {
343 type => 'boolean',
344 optional => 1,
345 requires => 'groups',
346 },
347 },
348 },
349 returns => { type => 'null' },
350 code => sub {
351 my ($param) = @_;
352
353 my ($username, $ruid, $realm) =
354 PVE::AccessControl::verify_username($param->{userid});
355
356 PVE::AccessControl::lock_user_config(
357 sub {
358
359 my $usercfg = cfs_read_file("user.cfg");
360
361 PVE::AccessControl::check_user_exist($usercfg, $username);
362
363 $usercfg->{users}->{$username}->{enable} = $param->{enable} if defined($param->{enable});
364
365 $usercfg->{users}->{$username}->{expire} = $param->{expire} if defined($param->{expire});
366
367 PVE::AccessControl::delete_user_group($username, $usercfg)
368 if (!$param->{append} && defined($param->{groups}));
369
370 if ($param->{groups}) {
371 foreach my $group (split_list($param->{groups})) {
372 if ($usercfg->{groups}->{$group}) {
373 PVE::AccessControl::add_user_group($username, $usercfg, $group);
374 } else {
375 die "no such group '$group'\n";
376 }
377 }
378 }
379
380 $usercfg->{users}->{$username}->{firstname} = $param->{firstname} if defined($param->{firstname});
381 $usercfg->{users}->{$username}->{lastname} = $param->{lastname} if defined($param->{lastname});
382 $usercfg->{users}->{$username}->{email} = $param->{email} if defined($param->{email});
383 $usercfg->{users}->{$username}->{comment} = $param->{comment} if defined($param->{comment});
384 $usercfg->{users}->{$username}->{keys} = $param->{keys} if defined($param->{keys});
385
386 cfs_write_file("user.cfg", $usercfg);
387 }, "update user failed");
388
389 return undef;
390 }});
391
392 __PACKAGE__->register_method ({
393 name => 'delete_user',
394 protected => 1,
395 path => '{userid}',
396 method => 'DELETE',
397 description => "Delete user.",
398 permissions => {
399 check => [ 'and',
400 [ 'userid-param', 'Realm.AllocateUser'],
401 [ 'userid-group', ['User.Modify']],
402 ],
403 },
404 parameters => {
405 additionalProperties => 0,
406 properties => {
407 userid => get_standard_option('userid-completed'),
408 }
409 },
410 returns => { type => 'null' },
411 code => sub {
412 my ($param) = @_;
413
414 my $rpcenv = PVE::RPCEnvironment::get();
415 my $authuser = $rpcenv->get_user();
416
417 my ($userid, $ruid, $realm) =
418 PVE::AccessControl::verify_username($param->{userid});
419
420 PVE::AccessControl::lock_user_config(
421 sub {
422
423 my $usercfg = cfs_read_file("user.cfg");
424
425 my $domain_cfg = cfs_read_file('domains.cfg');
426 if (my $cfg = $domain_cfg->{ids}->{$realm}) {
427 my $plugin = PVE::Auth::Plugin->lookup($cfg->{type});
428 $plugin->delete_user($cfg, $realm, $ruid);
429 }
430
431 # Remove TFA data before removing the user entry as the user entry tells us whether
432 # we need ot update priv/tfa.cfg.
433 PVE::AccessControl::user_set_tfa($userid, $realm, undef, undef, $usercfg, $domain_cfg);
434
435 delete $usercfg->{users}->{$userid};
436
437 PVE::AccessControl::delete_user_group($userid, $usercfg);
438 PVE::AccessControl::delete_user_acl($userid, $usercfg);
439 cfs_write_file("user.cfg", $usercfg);
440 }, "delete user failed");
441
442 return undef;
443 }});
444
445 __PACKAGE__->register_method ({
446 name => 'read_user_tfa_type',
447 path => '{userid}/tfa',
448 method => 'GET',
449 protected => 1,
450 description => "Get user TFA types (Personal and Realm).",
451 permissions => {
452 check => [ 'or',
453 ['userid-param', 'self'],
454 ['userid-group', ['User.Modify', 'Sys.Audit']],
455 ],
456 },
457 parameters => {
458 additionalProperties => 0,
459 properties => {
460 userid => get_standard_option('userid-completed'),
461 },
462 },
463 returns => {
464 additionalProperties => 0,
465 properties => {
466 realm => {
467 type => 'string',
468 enum => [qw(oath yubico)],
469 description => "The type of TFA the users realm has set, if any.",
470 optional => 1,
471 },
472 user => {
473 type => 'string',
474 enum => [qw(oath u2f)],
475 description => "The type of TFA the user has set, if any.",
476 optional => 1,
477 },
478 },
479 type => "object"
480 },
481 code => sub {
482 my ($param) = @_;
483
484 my ($username, undef, $realm) = PVE::AccessControl::verify_username($param->{userid});
485
486
487 my $domain_cfg = cfs_read_file('domains.cfg');
488 my $realm_cfg = $domain_cfg->{ids}->{$realm};
489 die "auth domain '$realm' does not exist\n" if !$realm_cfg;
490
491 my $realm_tfa = {};
492 $realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_cfg->{tfa})
493 if $realm_cfg->{tfa};
494
495 my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
496 my $tfa = $tfa_cfg->{users}->{$username};
497
498 my $res = {};
499 $res->{realm} = $realm_tfa->{type} if $realm_tfa->{type};
500 $res->{user} = $tfa->{type} if $tfa->{type};
501 return $res;
502 }});
503
504 __PACKAGE__->register_method ({
505 name => 'token_index',
506 path => '{userid}/token',
507 method => 'GET',
508 description => "Get user API tokens.",
509 permissions => {
510 check => ['or',
511 ['userid-param', 'self'],
512 ['perm', '/access/users/{userid}', ['User.Modify']],
513 ],
514 },
515 parameters => {
516 additionalProperties => 0,
517 properties => {
518 userid => get_standard_option('userid-completed'),
519 },
520 },
521 returns => {
522 type => "array",
523 items => $token_info_extend->({
524 tokenid => get_standard_option('token-subid'),
525 }),
526 links => [ { rel => 'child', href => "{tokenid}" } ],
527 },
528 code => sub {
529 my ($param) = @_;
530
531 my $userid = PVE::AccessControl::verify_username($param->{userid});
532 my $usercfg = cfs_read_file("user.cfg");
533
534 my $user = PVE::AccessControl::check_user_exist($usercfg, $userid);
535
536 my $tokens = $user->{tokens} // {};
537 return [ map { $tokens->{$_}->{tokenid} = $_; $tokens->{$_} } keys %$tokens];
538 }});
539
540 __PACKAGE__->register_method ({
541 name => 'read_token',
542 path => '{userid}/token/{tokenid}',
543 method => 'GET',
544 description => "Get specific API token information.",
545 permissions => {
546 check => ['or',
547 ['userid-param', 'self'],
548 ['perm', '/access/users/{userid}', ['User.Modify']],
549 ],
550 },
551 parameters => {
552 additionalProperties => 0,
553 properties => {
554 userid => get_standard_option('userid-completed'),
555 tokenid => get_standard_option('token-subid'),
556 },
557 },
558 returns => get_standard_option('token-info'),
559 code => sub {
560 my ($param) = @_;
561
562 my $userid = PVE::AccessControl::verify_username($param->{userid});
563 my $tokenid = $param->{tokenid};
564
565 my $usercfg = cfs_read_file("user.cfg");
566
567 return PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
568 }});
569
570 __PACKAGE__->register_method ({
571 name => 'generate_token',
572 path => '{userid}/token/{tokenid}',
573 method => 'POST',
574 description => "Generate a new API token for a specific user. NOTE: returns API token value, which needs to be stored as it cannot be retrieved afterwards!",
575 protected => 1,
576 permissions => {
577 check => ['or',
578 ['userid-param', 'self'],
579 ['perm', '/access/users/{userid}', ['User.Modify']],
580 ],
581 },
582 parameters => {
583 additionalProperties => 0,
584 properties => {
585 userid => get_standard_option('userid-completed'),
586 tokenid => get_standard_option('token-subid'),
587 expire => get_standard_option('token-expire'),
588 privsep => get_standard_option('token-privsep'),
589 comment => get_standard_option('token-comment'),
590 },
591 },
592 returns => {
593 additionalProperties => 0,
594 type => "object",
595 properties => {
596 info => get_standard_option('token-info'),
597 value => {
598 type => 'string',
599 description => 'API token value used for authentication.',
600 },
601 },
602 },
603 code => sub {
604 my ($param) = @_;
605
606 my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid'));
607 my $tokenid = extract_param($param, 'tokenid');
608
609 my $usercfg = cfs_read_file("user.cfg");
610
611 my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid, 1);
612 my $value;
613
614 PVE::AccessControl::check_user_exist($usercfg, $userid);
615 raise_param_exc({ 'tokenid' => 'Token already exists.' }) if defined($token);
616
617 my $generate_and_add_token = sub {
618 $usercfg = cfs_read_file("user.cfg");
619 PVE::AccessControl::check_user_exist($usercfg, $userid);
620 die "Token already exists.\n" if defined(PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid, 1));
621
622 my $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
623 $value = PVE::TokenConfig::generate_token($full_tokenid);
624
625 $token = {};
626 $token->{privsep} = defined($param->{privsep}) ? $param->{privsep} : 1;
627 $token->{expire} = $param->{expire} if defined($param->{expire});
628 $token->{comment} = $param->{comment} if $param->{comment};
629
630 $usercfg->{users}->{$userid}->{tokens}->{$tokenid} = $token;
631 cfs_write_file("user.cfg", $usercfg);
632 };
633
634 PVE::AccessControl::lock_user_config($generate_and_add_token, 'generating token failed');
635
636 return { info => $token, value => $value };
637 }});
638
639
640 __PACKAGE__->register_method ({
641 name => 'update_token_info',
642 path => '{userid}/token/{tokenid}',
643 method => 'PUT',
644 description => "Update API token for a specific user.",
645 protected => 1,
646 permissions => {
647 check => ['or',
648 ['userid-param', 'self'],
649 ['perm', '/access/users/{userid}', ['User.Modify']],
650 ],
651 },
652 parameters => {
653 additionalProperties => 0,
654 properties => {
655 userid => get_standard_option('userid-completed'),
656 tokenid => get_standard_option('token-subid'),
657 expire => get_standard_option('token-expire'),
658 privsep => get_standard_option('token-privsep'),
659 comment => get_standard_option('token-comment'),
660 },
661 },
662 returns => get_standard_option('token-info', { description => "Updated token information." }),
663 code => sub {
664 my ($param) = @_;
665
666 my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid'));
667 my $tokenid = extract_param($param, 'tokenid');
668
669 my $usercfg = cfs_read_file("user.cfg");
670 my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
671
672 my $update_token = sub {
673 $usercfg = cfs_read_file("user.cfg");
674 $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
675
676 my $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
677
678 $token->{privsep} = $param->{privsep} if defined($param->{privsep});
679 $token->{expire} = $param->{expire} if defined($param->{expire});
680 $token->{comment} = $param->{comment} if $param->{comment};
681
682 $usercfg->{users}->{$userid}->{tokens}->{$tokenid} = $token;
683 cfs_write_file("user.cfg", $usercfg);
684 };
685
686 PVE::AccessControl::lock_user_config($update_token, 'updating token info failed');
687
688 return $token;
689 }});
690
691
692 __PACKAGE__->register_method ({
693 name => 'remove_token',
694 path => '{userid}/token/{tokenid}',
695 method => 'DELETE',
696 description => "Remove API token for a specific user.",
697 protected => 1,
698 permissions => {
699 check => ['or',
700 ['userid-param', 'self'],
701 ['perm', '/access/users/{userid}', ['User.Modify']],
702 ],
703 },
704 parameters => {
705 additionalProperties => 0,
706 properties => {
707 userid => get_standard_option('userid-completed'),
708 tokenid => get_standard_option('token-subid'),
709 },
710 },
711 returns => { type => 'null' },
712 code => sub {
713 my ($param) = @_;
714
715 my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid'));
716 my $tokenid = extract_param($param, 'tokenid');
717
718 my $usercfg = cfs_read_file("user.cfg");
719 my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
720
721 my $update_token = sub {
722 $usercfg = cfs_read_file("user.cfg");
723
724 PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
725
726 my $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
727 PVE::TokenConfig::delete_token($full_tokenid);
728 delete $usercfg->{users}->{$userid}->{tokens}->{$tokenid};
729
730 cfs_write_file("user.cfg", $usercfg);
731 };
732
733 PVE::AccessControl::lock_user_config($update_token, 'deleting token failed');
734
735 return;
736 }});
737 1;
Access control framework