From 8a724f7b3a709a5cc8a723840e0104bfad6daf83 Mon Sep 17 00:00:00 2001 From: Dietmar Maurer Date: Wed, 30 Jun 2021 08:10:03 +0200 Subject: [PATCH] check_user_enabled: also check if user is expired --- src/PVE/AccessControl.pm | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm index 2569a35..8628678 100644 --- a/src/PVE/AccessControl.pm +++ b/src/PVE/AccessControl.pm @@ -428,12 +428,10 @@ sub verify_token { check_user_enabled($usercfg, $username); check_token_exist($usercfg, $username, $token); - my $ctime = time(); - my $user = $usercfg->{users}->{$username}; - die "account expired\n" if $user->{expire} && ($user->{expire} < $ctime); - my $token_info = $user->{tokens}->{$token}; + + my $ctime = time(); die "token expired\n" if $token_info->{expire} && ($token_info->{expire} < $ctime); die "invalid token value!\n" if !PVE::Cluster::verify_token($tokenid, $value); @@ -579,6 +577,11 @@ sub check_user_enabled { die "user '$username' is disabled\n" if !$noerr; + my $ctime = time(); + my $expire = $usercfg->{users}->{$username}->{expire}; + + die "account expired\n" if $expire && ($expire < $ctime); + return undef; } @@ -629,11 +632,6 @@ sub authenticate_user { check_user_enabled($usercfg, $username); - my $ctime = time(); - my $expire = $usercfg->{users}->{$username}->{expire}; - - die "account expired\n" if $expire && ($expire < $ctime); - my $domain_cfg = cfs_read_file('domains.cfg'); my $cfg = $domain_cfg->{ids}->{$realm}; -- 2.39.2