From: Hannes Laimer <h.laimer@proxmox.com>
To: Christian Ebner <c.ebner@proxmox.com>,
Proxmox Backup Server development discussion
<pbs-devel@lists.proxmox.com>
Subject: Re: [pbs-devel] [PATCH proxmox-backup 3/6] fix #4382: api: remove permissions and tokens of user on deletion
Date: Fri, 4 Apr 2025 17:23:06 +0200 [thread overview]
Message-ID: <8caa82b3-3cce-4029-af06-87e4306d5b8e@proxmox.com> (raw)
In-Reply-To: <20fe5ca6-889d-4930-ae18-457bc3abf5a5@proxmox.com>
On 4/4/25 17:06, Christian Ebner wrote:
> one comment inline
>
> On 3/20/25 14:57, Hannes Laimer wrote:
>> Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
>> ---
>> src/api2/access/user.rs | 14 ++++++++++++++
>> 1 file changed, 14 insertions(+)
>>
>> diff --git a/src/api2/access/user.rs b/src/api2/access/user.rs
>> index 39cffdba..9bed14a4 100644
>> --- a/src/api2/access/user.rs
>> +++ b/src/api2/access/user.rs
>> @@ -353,6 +353,7 @@ pub async fn update_user(
>> pub fn delete_user(userid: Userid, digest: Option<String>) ->
>> Result<(), Error> {
>> let _lock = pbs_config::user::lock_config()?;
>> let _tfa_lock = crate::config::tfa::write_lock()?;
>> + let _acl_lock = pbs_config::acl::lock_config()?;
>> let (mut config, expected_digest) = pbs_config::user::config()?;
>> @@ -380,6 +381,19 @@ pub fn delete_user(userid: Userid, digest:
>> Option<String>) -> Result<(), Error>
>> eprintln!("error updating TFA config after deleting user
>> {userid:?} {err}",);
>> }
>> + let user_tokens: Vec<ApiToken> = config
>> + .convert_to_typed_array::<ApiToken>("token")?
>> + .into_iter()
>> + .filter(|token| token.tokenid.user().eq(&userid))
>> + .collect();
>> +
>> + let (mut acl_tree, _digest) = pbs_config::acl::config()?;
>> + for token in user_tokens {
>> + if let Some(name) = token.tokenid.tokenname() {
>> + do_delete_token(name.to_owned(), &userid, &mut config,
>> &mut acl_tree)?;
>
> This removes the tokenid from the user_config and acl_config, but that
> change is never written to the config afterwards? There should be calls
> to the respective save_config implementations just like for
> delete_token. Or am I overlooking something?
>
> The user config and tfa config are already written at this point, so the
> pbs_config::user::save_config(&config) must be moved below this and the
> pbs_config::acl::save_config(&acl_tree) added as well.
actually true, I missed that. Not necessarily moving though, having it
in two places is fine, we hold the lock. And given there are some `?`s
I'd rather just add an additional
`pbs_config::user::save_config(&config)`
at the end.
A bit of unlucky timing with my v2, I'll send a v3 fixing this.
Thanks for taking a look!
>
>> + }
>> + }
>> +
>> Ok(())
>> }
>
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
next prev parent reply other threads:[~2025-04-04 15:23 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-20 13:57 [pbs-devel] [PATCH proxmox-backup/proxmox 0/6] ACL removal on user/token deletion + token regeneration Hannes Laimer
2025-03-20 13:57 ` [pbs-devel] [PATCH proxmox-backup 1/6] pbs-config: move secret generation into token_shadow Hannes Laimer
2025-03-20 13:57 ` [pbs-devel] [PATCH proxmox-backup 2/6] fix #4382: api: access: remove permissions of token on deletion Hannes Laimer
2025-03-20 13:57 ` [pbs-devel] [PATCH proxmox-backup 3/6] fix #4382: api: remove permissions and tokens of user " Hannes Laimer
2025-04-04 15:06 ` Christian Ebner
2025-04-04 15:23 ` Hannes Laimer [this message]
2025-03-20 13:57 ` [pbs-devel] [PATCH proxmox 4/6] pbs-api-types: add REGENERATE_TOKEN_SCHEMA Hannes Laimer
2025-04-02 13:04 ` [pbs-devel] applied: " Thomas Lamprecht
2025-03-20 13:57 ` [pbs-devel] [PATCH proxmox-backup 5/6] fix #3887: api: access: allow secret regeneration Hannes Laimer
2025-03-20 13:57 ` [pbs-devel] [PATCH proxmox-backup 6/6] fix #3887: ui: add regenerate token button Hannes Laimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8caa82b3-3cce-4029-af06-87e4306d5b8e@proxmox.com \
--to=h.laimer@proxmox.com \
--cc=c.ebner@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.