rename user_enabled to check_user_enabled

[pve-access-control.git] / PVE / API2 / AccessControl.pm

diff --git a/PVE/API2/AccessControl.pm b/PVE/API2/AccessControl.pm
index 10b6161909a3df39c58d06c1cf463448d4e0471f..5967c50ea30200caf6a2fb042b03edf176348d27 100644 (file)
--- a/PVE/API2/AccessControl.pm
+++ b/PVE/API2/AccessControl.pm
@@ -5,7 +5,7 @@ use warnings;
 
 use PVE::SafeSyslog;
 use PVE::RPCEnvironment;
-use PVE::Cluster;
+use PVE::Cluster qw(cfs_read_file);
 use PVE::RESTHandler;
 use PVE::AccessControl;
 use PVE::JSONSchema qw(get_standard_option);
@@ -140,6 +140,9 @@ __PACKAGE__->register_method ({
        my $token;
        eval {
 
+           # test if user exists and is enabled
+           $rpcenv->check_user_enabled($username);
+
            if ($param->{path} && $param->{privs}) {
                my $privs = [ PVE::Tools::split_list($param->{privs}) ];
                my $path = PVE::AccessControl::normalize_path($param->{path});
@@ -150,8 +153,10 @@ __PACKAGE__->register_method ({
 
            my $tmp;
            if (($tmp = PVE::AccessControl::verify_ticket($param->{password}, 1)) &&
-               ($tmp eq $username)) {
+               ($tmp eq 'root@pam' || $tmp eq $username)) {
                # got valid ticket
+               # Note: root@pam can create tickets for other users
+               
            } else {
                $username = PVE::AccessControl::authenticate_user($username, $param->{password});
            }