proxmox-mirrors/pve-access-control
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-access-control synced 2025-10-04 00:02:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

return ruid in reauth_user_for_user_modification, add param name

Browse Source 
since the upcoming use case in change_password uses the returned $ruid
and the parameter is called 'confirmation-password' there

also generalize the error so it does not mention TFA

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
This commit is contained in:
Wolfgang Bumiller 2024-03-15 13:44:27 +01:00
parent 060941d467
commit 90faf488db
2 changed files with 11 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/PVE/API2/TFA.pm
View File

@ -351,7 +351,7 @@ __PACKAGE__->register_method ({
my $rpcenv = PVE::RPCEnvironment::get();
my $authuser = $rpcenv->get_user();
my ($userid, $realm) = $rpcenv->reauth_user_for_user_modification(
my ($userid, undef, $realm) = $rpcenv->reauth_user_for_user_modification(
$authuser,
$param->{userid},
$param->{password},

17
src/PVE/RPCEnvironment.pm
View File

@ -637,21 +637,24 @@ sub is_worker {
return PVE::RESTEnvironment->is_worker();
}
# Permission helper for TFA and password API endpoints modifying users.
# Only root may modify root, regular users need to specify their password.
#
# Returns the userid returned from `verify_username`.
# Or ($userid, $realm) in list context.
sub reauth_user_for_user_modification : prototype($$$$) {
my ($rpcenv, $authuser, $userid, $password) = @_;
# Returns the same as `verify_username` in list context (userid, ruid, realm),
# or just the userid in scalar context.
sub reauth_user_for_user_modification : prototype($$$$;$) {
my ($rpcenv, $authuser, $userid, $password, $param_name) = @_;
($userid, undef, my $realm) = PVE::AccessControl::verify_username($userid);
$param_name //= 'password';
($userid, my $ruid, my $realm) = PVE::AccessControl::verify_username($userid);
$rpcenv->check_user_exist($userid);
raise_perm_exc() if $userid eq 'root@pam' && $authuser ne 'root@pam';
# Regular users need to confirm their password to change TFA settings.
if ($authuser ne 'root@pam') {
raise_param_exc({ 'password' => 'password is required to modify TFA data' })
raise_param_exc({ $param_name => 'password is required to modify user' })
if !defined($password);
($authuser, my $auth_username, my $auth_realm) =
@ -664,7 +667,7 @@ sub reauth_user_for_user_modification : prototype($$$$) {
$plugin->authenticate_user($cfg, $auth_realm, $auth_username, $password);
}
return wantarray ? ($userid, $realm) : $userid;
return wantarray ? ($userid, $ruid, $realm) : $userid;
}
1;