projects
/
pve-access-control.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
7a4c4fd
)
check_user_enabled: also check if user is expired
author
Dietmar Maurer
<dietmar@proxmox.com>
Wed, 30 Jun 2021 06:10:03 +0000
(08:10 +0200)
committer
Thomas Lamprecht
<t.lamprecht@proxmox.com>
Thu, 1 Jul 2021 11:13:59 +0000
(13:13 +0200)
src/PVE/AccessControl.pm
patch
|
blob
|
blame
|
history
diff --git
a/src/PVE/AccessControl.pm
b/src/PVE/AccessControl.pm
index 2569a3528232c3f1ba438a293fd0d44010c59874..86286781ed72fe5039f612e5709af92d2a644cea 100644
(file)
--- a/
src/PVE/AccessControl.pm
+++ b/
src/PVE/AccessControl.pm
@@
-428,12
+428,10
@@
sub verify_token {
check_user_enabled($usercfg, $username);
check_token_exist($usercfg, $username, $token);
check_user_enabled($usercfg, $username);
check_token_exist($usercfg, $username, $token);
- my $ctime = time();
-
my $user = $usercfg->{users}->{$username};
my $user = $usercfg->{users}->{$username};
- die "account expired\n" if $user->{expire} && ($user->{expire} < $ctime);
-
my $token_info = $user->{tokens}->{$token};
my $token_info = $user->{tokens}->{$token};
+
+ my $ctime = time();
die "token expired\n" if $token_info->{expire} && ($token_info->{expire} < $ctime);
die "invalid token value!\n" if !PVE::Cluster::verify_token($tokenid, $value);
die "token expired\n" if $token_info->{expire} && ($token_info->{expire} < $ctime);
die "invalid token value!\n" if !PVE::Cluster::verify_token($tokenid, $value);
@@
-579,6
+577,11
@@
sub check_user_enabled {
die "user '$username' is disabled\n" if !$noerr;
die "user '$username' is disabled\n" if !$noerr;
+ my $ctime = time();
+ my $expire = $usercfg->{users}->{$username}->{expire};
+
+ die "account expired\n" if $expire && ($expire < $ctime);
+
return undef;
}
return undef;
}
@@
-629,11
+632,6
@@
sub authenticate_user {
check_user_enabled($usercfg, $username);
check_user_enabled($usercfg, $username);
- my $ctime = time();
- my $expire = $usercfg->{users}->{$username}->{expire};
-
- die "account expired\n" if $expire && ($expire < $ctime);
-
my $domain_cfg = cfs_read_file('domains.cfg');
my $cfg = $domain_cfg->{ids}->{$realm};
my $domain_cfg = cfs_read_file('domains.cfg');
my $cfg = $domain_cfg->{ids}->{$realm};