[pve-devel] [PATCH pve-access-control v2] fix #6528: tfa: update user config on removal of TFA
Shan Shaji
s.shaji at proxmox.com
Tue Jul 29 13:02:29 CEST 2025
When removing TFA from a user via the command line, the change was not
reflected in the GUI or in the output of `pveum user list`. Both
continued to show that TFA was enabled for the user. Fixed the issue
by updating the user configuration file.
Signed-off-by: Shan Shaji <s.shaji at proxmox.com>
---
changes since v1:
- unconditionaly set `$update_user_config` to `true` when deleting the TFA
entry using userid.
- Fixed incomplete user config lock to avoid race conditions.
History:
- v1: https://lore.proxmox.com/pve-devel/DBOGTW5GCZZE.3V2FS3RAXC4FR@noor/T/#t
src/PVE/CLI/pveum.pm | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/src/PVE/CLI/pveum.pm b/src/PVE/CLI/pveum.pm
index 0645a6d..81c3a70 100755
--- a/src/PVE/CLI/pveum.pm
+++ b/src/PVE/CLI/pveum.pm
@@ -141,13 +141,25 @@ __PACKAGE__->register_method({
my $userid = extract_param($param, "userid");
my $tfa_id = extract_param($param, "id");
+ my $update_user_config;
PVE::AccessControl::lock_tfa_config(sub {
my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
if (defined($tfa_id)) {
- $tfa_cfg->api_delete_tfa($userid, $tfa_id);
+ my $has_entries_left = $tfa_cfg->api_delete_tfa($userid, $tfa_id);
+ $update_user_config = !$has_entries_left;
} else {
$tfa_cfg->remove_user($userid);
+ $update_user_config = 1;
+ }
+
+ if ($update_user_config) {
+ PVE::AccessControl::lock_user_config(sub {
+ my $user_cfg = cfs_read_file('user.cfg');
+ my $user = $user_cfg->{users}->{$userid};
+ $user->{keys} = undef;
+ cfs_write_file('user.cfg', $user_cfg);
+ });
}
cfs_write_file('priv/tfa.cfg', $tfa_cfg);
});
--
2.39.5
More information about the pve-devel
mailing list