From: Hannes Laimer <h.laimer@proxmox.com>
To: Christian Ebner <c.ebner@proxmox.com>,
Proxmox Backup Server development discussion
<pbs-devel@lists.proxmox.com>
Subject: Re: [pbs-devel] [PATCH proxmox-backup 3/6] fix #4382: api: remove permissions and tokens of user on deletion
Date: Fri, 4 Apr 2025 17:23:06 +0200 [thread overview]
Message-ID: <8caa82b3-3cce-4029-af06-87e4306d5b8e@proxmox.com> (raw)
In-Reply-To: <20fe5ca6-889d-4930-ae18-457bc3abf5a5@proxmox.com>
On 4/4/25 17:06, Christian Ebner wrote:
> one comment inline
>
> On 3/20/25 14:57, Hannes Laimer wrote:
>> Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
>> ---
>> src/api2/access/user.rs | 14 ++++++++++++++
>> 1 file changed, 14 insertions(+)
>>
>> diff --git a/src/api2/access/user.rs b/src/api2/access/user.rs
>> index 39cffdba..9bed14a4 100644
>> --- a/src/api2/access/user.rs
>> +++ b/src/api2/access/user.rs
>> @@ -353,6 +353,7 @@ pub async fn update_user(
>> pub fn delete_user(userid: Userid, digest: Option<String>) ->
>> Result<(), Error> {
>> let _lock = pbs_config::user::lock_config()?;
>> let _tfa_lock = crate::config::tfa::write_lock()?;
>> + let _acl_lock = pbs_config::acl::lock_config()?;
>> let (mut config, expected_digest) = pbs_config::user::config()?;
>> @@ -380,6 +381,19 @@ pub fn delete_user(userid: Userid, digest:
>> Option<String>) -> Result<(), Error>
>> eprintln!("error updating TFA config after deleting user
>> {userid:?} {err}",);
>> }
>> + let user_tokens: Vec<ApiToken> = config
>> + .convert_to_typed_array::<ApiToken>("token")?
>> + .into_iter()
>> + .filter(|token| token.tokenid.user().eq(&userid))
>> + .collect();
>> +
>> + let (mut acl_tree, _digest) = pbs_config::acl::config()?;
>> + for token in user_tokens {
>> + if let Some(name) = token.tokenid.tokenname() {
>> + do_delete_token(name.to_owned(), &userid, &mut config,
>> &mut acl_tree)?;
>
> This removes the tokenid from the user_config and acl_config, but that
> change is never written to the config afterwards? There should be calls
> to the respective save_config implementations just like for
> delete_token. Or am I overlooking something?
>
> The user config and tfa config are already written at this point, so the
> pbs_config::user::save_config(&config) must be moved below this and the
> pbs_config::acl::save_config(&acl_tree) added as well.
actually true, I missed that. Not necessarily moving though, having it
in two places is fine, we hold the lock. And given there are some `?`s
I'd rather just add an additional
`pbs_config::user::save_config(&config)`
at the end.
A bit of unlucky timing with my v2, I'll send a v3 fixing this.
Thanks for taking a look!
>
>> + }
>> + }
>> +
>> Ok(())
>> }
>
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
next prev parent reply other threads:[~2025-04-04 15:23 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-20 13:57 [pbs-devel] [PATCH proxmox-backup/proxmox 0/6] ACL removal on user/token deletion + token regeneration Hannes Laimer
2025-03-20 13:57 ` [pbs-devel] [PATCH proxmox-backup 1/6] pbs-config: move secret generation into token_shadow Hannes Laimer
2025-03-20 13:57 ` [pbs-devel] [PATCH proxmox-backup 2/6] fix #4382: api: access: remove permissions of token on deletion Hannes Laimer
2025-03-20 13:57 ` [pbs-devel] [PATCH proxmox-backup 3/6] fix #4382: api: remove permissions and tokens of user " Hannes Laimer
2025-04-04 15:06 ` Christian Ebner
2025-04-04 15:23 ` Hannes Laimer [this message]
2025-03-20 13:57 ` [pbs-devel] [PATCH proxmox 4/6] pbs-api-types: add REGENERATE_TOKEN_SCHEMA Hannes Laimer
2025-04-02 13:04 ` [pbs-devel] applied: " Thomas Lamprecht
2025-03-20 13:57 ` [pbs-devel] [PATCH proxmox-backup 5/6] fix #3887: api: access: allow secret regeneration Hannes Laimer
2025-03-20 13:57 ` [pbs-devel] [PATCH proxmox-backup 6/6] fix #3887: ui: add regenerate token button Hannes Laimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8caa82b3-3cce-4029-af06-87e4306d5b8e@proxmox.com \
--to=h.laimer@proxmox.com \
--cc=c.ebner@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal