[pve-devel] [PATCH pve-access-control v2 1/5] check_user_enabled: also check if user is expired

Dietmar Maurer dietmar at proxmox.com
Wed Jun 30 08:10:03 CEST 2021


---
 src/PVE/AccessControl.pm | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index 2569a35..8628678 100644
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -428,12 +428,10 @@ sub verify_token {
     check_user_enabled($usercfg, $username);
     check_token_exist($usercfg, $username, $token);
 
-    my $ctime = time();
-
     my $user = $usercfg->{users}->{$username};
-    die "account expired\n" if $user->{expire} && ($user->{expire} < $ctime);
-
     my $token_info = $user->{tokens}->{$token};
+
+    my $ctime = time();
     die "token expired\n" if $token_info->{expire} && ($token_info->{expire} < $ctime);
 
     die "invalid token value!\n" if !PVE::Cluster::verify_token($tokenid, $value);
@@ -579,6 +577,11 @@ sub check_user_enabled {
 
     die "user '$username' is disabled\n" if !$noerr;
 
+    my $ctime = time();
+    my $expire = $usercfg->{users}->{$username}->{expire};
+
+    die "account expired\n" if $expire && ($expire < $ctime);
+
     return undef;
 }
 
@@ -629,11 +632,6 @@ sub authenticate_user {
 
     check_user_enabled($usercfg, $username);
 
-    my $ctime = time();
-    my $expire = $usercfg->{users}->{$username}->{expire};
-
-    die "account expired\n" if $expire && ($expire < $ctime);
-
     my $domain_cfg = cfs_read_file('domains.cfg');
 
     my $cfg = $domain_cfg->{ids}->{$realm};
-- 
2.30.2





More information about the pve-devel mailing list