Only allow local login if password is non-empty (#5906)

tokarchuk/v1.17
zeripath 6 years ago committed by Lauris BH
parent 80098bd752
commit 0f295ababa
  1. 2
      models/login_source.go
  2. 2
      modules/lfs/server.go

@ -644,7 +644,7 @@ func UserSignIn(username, password string) (*User, error) {
if hasUser { if hasUser {
switch user.LoginType { switch user.LoginType {
case LoginNoType, LoginPlain, LoginOAuth2: case LoginNoType, LoginPlain, LoginOAuth2:
if user.ValidatePassword(password) { if user.IsPasswordSet() && user.ValidatePassword(password) {
return user, nil return user, nil
} }

@ -582,7 +582,7 @@ func parseToken(authorization string) (*models.User, *models.Repository, string,
if err != nil { if err != nil {
return nil, nil, "basic", err return nil, nil, "basic", err
} }
if !u.ValidatePassword(password) { if !u.IsPasswordSet() || !u.ValidatePassword(password) {
return nil, nil, "basic", fmt.Errorf("Basic auth failed") return nil, nil, "basic", fmt.Errorf("Basic auth failed")
} }
return u, nil, "basic", nil return u, nil, "basic", nil

Loading…
Cancel
Save