[pve-devel] [PATCH pve-access-control] fix #6528: tfa: update user config on removal of TFA

Shan Shaji s.shaji at proxmox.com
Tue Jul 29 10:30:10 CEST 2025 

When removing TFA from a user via the command line, the change was not
reflected in the GUI or in the output of `pveum user list`. Both
continued to show that TFA was enabled for the user. Fixed the issue
by updating the user configuration file.

Signed-off-by: Shan Shaji <s.shaji at proxmox.com>
---
 
 Tested Cases:
 - Case 1:
    - Added one TFA for a user. 
    - Delete with CLI `pveum user tfa delete <user>`
    - Verified if the UI and CLI outputs are updated. 
 - Case 2:
    - Add two TFA for a user. 
    - Delete with CLI `pveum user tfa delete <user>`
    - Verified if the UI and CLI outputs are updated. 
 - Case 3: 
    - Add two TFA for a user. 
    - Delete with CLI `pveum user tfa delete <user> --id <id>`
    - Verified if the UI and CLI outputs are updated. 

 src/PVE/CLI/pveum.pm | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/PVE/CLI/pveum.pm b/src/PVE/CLI/pveum.pm
index 0645a6d..87e68df 100755
--- a/src/PVE/CLI/pveum.pm
+++ b/src/PVE/CLI/pveum.pm
@@ -141,16 +141,28 @@ __PACKAGE__->register_method({
 
         my $userid = extract_param($param, "userid");
         my $tfa_id = extract_param($param, "id");
+        my $update_user_config;
 
         PVE::AccessControl::lock_tfa_config(sub {
             my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
             if (defined($tfa_id)) {
-                $tfa_cfg->api_delete_tfa($userid, $tfa_id);
+                my $has_entries_left = $tfa_cfg->api_delete_tfa($userid, $tfa_id);
+                $update_user_config = !$has_entries_left;
             } else {
-                $tfa_cfg->remove_user($userid);
+                my $needs_user_saving = $tfa_cfg->remove_user($userid);
+                $update_user_config = $needs_user_saving;
             }
             cfs_write_file('priv/tfa.cfg', $tfa_cfg);
         });
+
+        if ($update_user_config) {
+            PVE::AccessControl::lock_user_config(sub {
+                my $user_cfg = cfs_read_file('user.cfg');
+                my $user = $user_cfg->{users}->{$userid};
+                $user->{keys} = undef;
+                cfs_write_file('user.cfg', $user_cfg);
+            });
+        }
         return;
     },
 });
-- 
2.39.5

More information about the pve-devel mailing list