return $res;
};
+__PACKAGE__->register_method ({
+ name => 'get_ticket',
+ path => 'ticket',
+ method => 'GET',
+ permissions => { user => 'world' },
+ description => "Dummy. Useful for formaters which want to priovde a login page.",
+ parameters => {
+ additionalProperties => 0,
+ },
+ returns => { type => "null" },
+ code => sub { return undef; }});
+
__PACKAGE__->register_method ({
name => 'create_ticket',
path => 'ticket',
my $rpcenv = PVE::RPCEnvironment::get();
my $res;
-
eval {
# test if user exists and is enabled
$rpcenv->check_user_enabled($username);
if (my $err = $@) {
my $clientip = $rpcenv->get_client_ip() || '';
syslog('err', "authentication failure; rhost=$clientip user=$username msg=$err");
- die $err;
+ # do not return any info to prevent user enumeration attacks
+ die PVE::Exception->new("authentication failure\n", code => 401);
}
$res->{cap} = &$compute_api_permission($rpcenv, $username);
projects / pve-access-control.git / blobdiff