rest: check for disabled token (user)
when authenticating a token, and not just when authenticating a user/ticket. Reported-By: Dominik Jäger <d.jaeger@proxmox.com> Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
parent
709c15abaa
commit
e411924c7c
|
@ -623,6 +623,10 @@ fn check_auth(
|
|||
.ok_or_else(|| format_err!("failed to split API token header"))?;
|
||||
let tokenid: Authid = tokenid.parse()?;
|
||||
|
||||
if !user_info.is_active_auth_id(&tokenid) {
|
||||
bail!("user account or token disabled or expired.");
|
||||
}
|
||||
|
||||
let tokensecret = parts.next()
|
||||
.ok_or_else(|| format_err!("failed to split API token header"))?;
|
||||
let tokensecret = percent_decode_str(tokensecret)
|
||||
|
|
Loading…
Reference in New Issue