]> git.proxmox.com Git - pve-access-control.git/blobdiff - src/PVE/API2/User.pm
projects / pve-access-control.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
fix #2302: allow deletion of users when realm enforces TFA
[pve-access-control.git] / src / PVE / API2 / User.pm
diff --git a/src/PVE/API2/User.pm b/src/PVE/API2/User.pm
index 0a38e38d4d64ea9587bf9b1e07a203fe03c5367d..3eb4038f77f2e10a2cbb8d4864d2c4c0e80907a4 100644 (file)
--- a/src/PVE/API2/User.pm
+++ b/src/PVE/API2/User.pm
@@ -442,12 +442,12 @@ __PACKAGE__->register_method ({
                $plugin->delete_user($cfg, $realm, $ruid);
            }
 
-           # Remove TFA data before removing the user entry as the user entry tells us whether
-           # we need ot update priv/tfa.cfg.
-           PVE::AccessControl::user_set_tfa($userid, $realm, undef, undef, $usercfg, $domain_cfg);
-
+           # Remove user from cache before removing the TFA entry so realms with TFA-enforcement
+           # know that it's OK to drop any TFA entry in that case.
            delete $usercfg->{users}->{$userid};
 
+           PVE::AccessControl::user_set_tfa($userid, $realm, undef, undef, $usercfg, $domain_cfg);
+
            PVE::AccessControl::delete_user_group($userid, $usercfg);
            PVE::AccessControl::delete_user_acl($userid, $usercfg);
            cfs_write_file("user.cfg", $usercfg);
Access control framework