check if user is enabled after verifying a ticket

when a user is disabled, we do not touch any ACLs, and already issued tickets are still valid (until their expiration time) check directly after the verification of the ticket if the user is still enabled, so that any api call fails for that user Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2020-03-12 15:09:21 +01:00 · 2020-03-12 15:09:21 +01:00 · d2688c38db
commit d2688c38db
parent a665f24d29
1 changed files with 1 additions and 0 deletions
--- a/PVE/HTTPServer.pm
+++ b/PVE/HTTPServer.pm
@ -85,6 +85,7 @@ sub auth_handler {
 	    die "No ticket\n" if !$ticket;

 	    ($username, $age, my $tfa_info) = PVE::AccessControl::verify_ticket($ticket);
+	    $rpcenv->check_user_enabled($username);

 	    if (defined($tfa_info)) {
 		if (defined(my $challenge = $tfa_info->{challenge})) {