From: Thomas Lamprecht <t.lamprecht@proxmox.com>
Date: Tue, 29 Sep 2020 05:09:51 +0000 (+0200)
Subject: api/users: catch existing user also on case insensitive realm
X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=commitdiff_plain;h=f335d265b856f186dd6ac9cfef746c0e1df2d281

api/users: catch existing user also on case insensitive realm

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---

diff --git a/PVE/API2/User.pm b/PVE/API2/User.pm
index f282a1c..05de57f 100644
--- a/PVE/API2/User.pm
+++ b/PVE/API2/User.pm
@@ -234,8 +234,9 @@ __PACKAGE__->register_method ({
 
 	    my $usercfg = cfs_read_file("user.cfg");
 
-	    die "user '$username' already exists\n"
-		if $usercfg->{users}->{$username};
+	    # ensure "user exists" check works for case insensitive realms
+	    $username = PVE::AccessControl::lookup_username($username, 1);
+	    die "user '$username' already exists\n" if $usercfg->{users}->{$username};
 
 	    PVE::AccessControl::domain_set_password($realm, $ruid, $param->{password})
 		if defined($param->{password});
diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index d3bc6ea..8b5be1e 100644
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -892,7 +892,7 @@ sub add_role_privs {
 }
 
 sub lookup_username {
-    my ($username) = @_;
+    my ($username, $noerr) = @_;
 
     $username =~ m!^(${PVE::Auth::Plugin::user_regex})\@(${PVE::Auth::Plugin::realm_regex})$!;
 
@@ -905,7 +905,7 @@ sub lookup_username {
 	my @matches = grep { lc $username eq lc $_ } (keys %{$usercfg->{users}});
 
 	die "ambiguous case insensitive match of username '$username', cannot safely grant access!\n"
-	    if scalar @matches > 1;
+	    if scalar @matches > 1 && !$noerr;
 
 	return $matches[0]
     }