[pve-devel] [PATCH pve-access-control v2 1/5] check_user_enabled: also check if user is expired
Dietmar Maurer
dietmar at proxmox.com
Wed Jun 30 08:10:03 CEST 2021
---
src/PVE/AccessControl.pm | 16 +++++++---------
1 file changed, 7 insertions(+), 9 deletions(-)
diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index 2569a35..8628678 100644
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -428,12 +428,10 @@ sub verify_token {
check_user_enabled($usercfg, $username);
check_token_exist($usercfg, $username, $token);
- my $ctime = time();
-
my $user = $usercfg->{users}->{$username};
- die "account expired\n" if $user->{expire} && ($user->{expire} < $ctime);
-
my $token_info = $user->{tokens}->{$token};
+
+ my $ctime = time();
die "token expired\n" if $token_info->{expire} && ($token_info->{expire} < $ctime);
die "invalid token value!\n" if !PVE::Cluster::verify_token($tokenid, $value);
@@ -579,6 +577,11 @@ sub check_user_enabled {
die "user '$username' is disabled\n" if !$noerr;
+ my $ctime = time();
+ my $expire = $usercfg->{users}->{$username}->{expire};
+
+ die "account expired\n" if $expire && ($expire < $ctime);
+
return undef;
}
@@ -629,11 +632,6 @@ sub authenticate_user {
check_user_enabled($usercfg, $username);
- my $ctime = time();
- my $expire = $usercfg->{users}->{$username}->{expire};
-
- die "account expired\n" if $expire && ($expire < $ctime);
-
my $domain_cfg = cfs_read_file('domains.cfg');
my $cfg = $domain_cfg->{ids}->{$realm};
--
2.30.2
More information about the pve-devel
mailing list