From 86f64e0d8b94dea4e5e25fe0a527dac0474a735c Mon Sep 17 00:00:00 2001
From: Dominik Csapak <d.csapak@proxmox.com>
Date: Thu, 12 Mar 2020 15:09:21 +0100
Subject: [PATCH] check if user is enabled after verifying a ticket

when a user is disabled, we do not touch any ACLs, and already issued
tickets are still valid (until their expiration time)

check directly after the verification of the ticket if the user
is still enabled, so that any api call fails for that user

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
 PVE/HTTPServer.pm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/PVE/HTTPServer.pm b/PVE/HTTPServer.pm
index 7859081b..39ec1f0b 100755
--- a/PVE/HTTPServer.pm
+++ b/PVE/HTTPServer.pm
@@ -85,6 +85,7 @@ sub auth_handler {
 	    die "No ticket\n" if !$ticket;
 
 	    ($username, $age, my $tfa_info) = PVE::AccessControl::verify_ticket($ticket);
+	    $rpcenv->check_user_enabled($username);
 
 	    if (defined($tfa_info)) {
 		if (defined(my $challenge = $tfa_info->{challenge})) {