From: Shannon Sterz <s.sterz@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox-backup 1/3] api: ignore password parameter in the update_user endpoint
Date: Fri, 4 Oct 2024 15:40:52 +0200 [thread overview]
Message-ID: <20241004134054.263913-2-s.sterz@proxmox.com> (raw)
In-Reply-To: <20241004134054.263913-1-s.sterz@proxmox.com>
currently if a password is provided, we check whether the user that is
going to be updated can authenticate with it. later on, the password
is then set as the same password. this means that the password here
can only be changed if it is the exact same one that is already used.
so in essence, the password cannot be changed through this endpoint
already. remove all of this logic here in favor of the
`PUT /access/password` endpoint.
to keep the api stable for now, just ignore the parameter and add a
description that explains what to use instead.
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
src/api2/access/user.rs | 32 +++++++++++---------------------
1 file changed, 11 insertions(+), 21 deletions(-)
diff --git a/src/api2/access/user.rs b/src/api2/access/user.rs
index 1b4adaf8..6101d5f1 100644
--- a/src/api2/access/user.rs
+++ b/src/api2/access/user.rs
@@ -12,8 +12,8 @@ use proxmox_tfa::api::TfaConfig;
use pbs_api_types::{
ApiToken, Authid, Tokenname, User, UserUpdater, UserWithTokens, Userid, ENABLE_USER_SCHEMA,
- EXPIRE_USER_SCHEMA, PBS_PASSWORD_SCHEMA, PRIV_PERMISSIONS_MODIFY, PRIV_SYS_AUDIT,
- PROXMOX_CONFIG_DIGEST_SCHEMA, SINGLE_LINE_COMMENT_SCHEMA,
+ EXPIRE_USER_SCHEMA, PASSWORD_FORMAT, PBS_PASSWORD_SCHEMA, PRIV_PERMISSIONS_MODIFY,
+ PRIV_SYS_AUDIT, PROXMOX_CONFIG_DIGEST_SCHEMA, SINGLE_LINE_COMMENT_SCHEMA,
};
use pbs_config::token_shadow;
@@ -223,7 +223,11 @@ pub enum DeletableProperty {
flatten: true,
},
password: {
- schema: PBS_PASSWORD_SCHEMA,
+ type: String,
+ description: "This parameter is ignored, please use 'PUT /access/password' to change a user's password",
+ min_length: 1,
+ max_length: 1024,
+ format: &PASSWORD_FORMAT,
optional: true,
},
delete: {
@@ -247,7 +251,7 @@ pub enum DeletableProperty {
]),
},
)]
-/// Update user configuration.
+/// Update user configuration. To change a user's password use the 'PUT /access/password' endpoint.
#[allow(clippy::too_many_arguments)]
pub async fn update_user(
userid: Userid,
@@ -255,11 +259,10 @@ pub async fn update_user(
password: Option<String>,
delete: Option<Vec<DeletableProperty>>,
digest: Option<String>,
- rpcenv: &mut dyn RpcEnvironment,
) -> Result<(), Error> {
- if password.is_some() {
- super::user_update_auth(rpcenv, &userid, password.as_deref(), false).await?;
- }
+ // ignore password here, updating passwords should happen through 'PUT /access/password'
+ // TODO: Remove with PBS 4
+ let _ = password;
let _lock = pbs_config::user::lock_config()?;
@@ -300,19 +303,6 @@ pub async fn update_user(
data.expire = if expire > 0 { Some(expire) } else { None };
}
- if let Some(password) = password {
- let user_info = CachedUserInfo::new()?;
- let current_auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
- let self_service = current_auth_id.user() == &userid;
- let target_realm = userid.realm();
- if !self_service && target_realm == "pam" && !user_info.is_superuser(¤t_auth_id) {
- bail!("only superuser can edit pam credentials!");
- }
- let authenticator = crate::auth::lookup_authenticator(userid.realm())?;
- let client_ip = rpcenv.get_client_ip().map(|sa| sa.ip());
- authenticator.store_password(userid.name(), &password, client_ip.as_ref())?;
- }
-
if let Some(firstname) = update.firstname {
data.firstname = if firstname.is_empty() {
None
--
2.39.5
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
next prev parent reply other threads:[~2024-10-04 13:41 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-04 13:40 [pbs-devel] [PATCH proxmox-backup 0/3] implement a minimum length of 8 characters for new passwords Shannon Sterz
2024-10-04 13:40 ` Shannon Sterz [this message]
2024-10-04 13:40 ` [pbs-devel] [PATCH proxmox-backup 2/3] api: enforce minimum character limit of 8 on " Shannon Sterz
2024-10-04 13:40 ` [pbs-devel] [PATCH proxmox-backup 3/3] ui: set min length for new passwords to 8 Shannon Sterz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241004134054.263913-2-s.sterz@proxmox.com \
--to=s.sterz@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox