api: improve error messages for restricted endpoints
the old variant attempted to parse a tokenid as userid and returned the cryptic parsing error to the client, which is rather confusing. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
parent
81764111fe
commit
13f5863561
@ -206,14 +206,18 @@ fn change_password(
|
|||||||
password: String,
|
password: String,
|
||||||
rpcenv: &mut dyn RpcEnvironment,
|
rpcenv: &mut dyn RpcEnvironment,
|
||||||
) -> Result<Value, Error> {
|
) -> Result<Value, Error> {
|
||||||
|
let current_auth: Authid = rpcenv
|
||||||
let current_user: Userid = rpcenv
|
|
||||||
.get_auth_id()
|
.get_auth_id()
|
||||||
.ok_or_else(|| format_err!("unknown user"))?
|
.ok_or_else(|| format_err!("no authid available"))?
|
||||||
.parse()?;
|
.parse()?;
|
||||||
let current_auth = Authid::from(current_user.clone());
|
|
||||||
|
|
||||||
let mut allowed = userid == current_user;
|
if current_auth.is_token() {
|
||||||
|
bail!("API tokens cannot access this API endpoint");
|
||||||
|
}
|
||||||
|
|
||||||
|
let current_user = current_auth.user();
|
||||||
|
|
||||||
|
let mut allowed = userid == *current_user;
|
||||||
|
|
||||||
if current_user == "root@pam" { allowed = true; }
|
if current_user == "root@pam" { allowed = true; }
|
||||||
|
|
||||||
|
@ -92,11 +92,16 @@ async fn termproxy(
|
|||||||
rpcenv: &mut dyn RpcEnvironment,
|
rpcenv: &mut dyn RpcEnvironment,
|
||||||
) -> Result<Value, Error> {
|
) -> Result<Value, Error> {
|
||||||
// intentionally user only for now
|
// intentionally user only for now
|
||||||
let userid: Userid = rpcenv
|
let auth_id: Authid = rpcenv
|
||||||
.get_auth_id()
|
.get_auth_id()
|
||||||
.ok_or_else(|| format_err!("unknown user"))?
|
.ok_or_else(|| format_err!("no authid available"))?
|
||||||
.parse()?;
|
.parse()?;
|
||||||
let auth_id = Authid::from(userid.clone());
|
|
||||||
|
if auth_id.is_token() {
|
||||||
|
bail!("API tokens cannot access this API endpoint");
|
||||||
|
}
|
||||||
|
|
||||||
|
let userid = auth_id.user();
|
||||||
|
|
||||||
if userid.realm() != "pam" {
|
if userid.realm() != "pam" {
|
||||||
bail!("only pam users can use the console");
|
bail!("only pam users can use the console");
|
||||||
@ -267,7 +272,16 @@ fn upgrade_to_websocket(
|
|||||||
) -> ApiResponseFuture {
|
) -> ApiResponseFuture {
|
||||||
async move {
|
async move {
|
||||||
// intentionally user only for now
|
// intentionally user only for now
|
||||||
let userid: Userid = rpcenv.get_auth_id().unwrap().parse()?;
|
let auth_id: Authid = rpcenv
|
||||||
|
.get_auth_id()
|
||||||
|
.ok_or_else(|| format_err!("no authid available"))?
|
||||||
|
.parse()?;
|
||||||
|
|
||||||
|
if auth_id.is_token() {
|
||||||
|
bail!("API tokens cannot access this API endpoint");
|
||||||
|
}
|
||||||
|
|
||||||
|
let userid = auth_id.user();
|
||||||
let ticket = tools::required_string_param(¶m, "vncticket")?;
|
let ticket = tools::required_string_param(¶m, "vncticket")?;
|
||||||
let port: u16 = tools::required_integer_param(¶m, "port")? as u16;
|
let port: u16 = tools::required_integer_param(¶m, "port")? as u16;
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user