fix: request a password to change sensitive user data #5629
Conversation
| ErrInvalidRequestParams = errors.New("invalid request params") | ||
| ErrSourceIsParent = errors.New("source is parent") | ||
| ErrRootUserDeletion = errors.New("user with id 1 can't be deleted") | ||
| ErrCurrentPasswordIncorrect = errors.New("the current password is incorrect") |
There was a problem hiding this comment.
Error returned when validating the logged-in user's password if validation fails
| body: JSON.stringify({ | ||
| what: "user", | ||
| which: [], | ||
| current_password: currentPassword, |
There was a problem hiding this comment.
Send current password entered in the form
| body: JSON.stringify({ | ||
| what: "user", | ||
| which: which, | ||
| ...(currentPassword != null ? { current_password: currentPassword } : {}), |
There was a problem hiding this comment.
Send current password entered in the form (only if it was sent in the argument)
| minimumPasswordLength: number; | ||
| userHomeBasePath: string; | ||
| defaults: SettingsDefaults; | ||
| authMethod: string; |
There was a problem hiding this comment.
Include authentication type in the settings returned to the frontend to show/hide the "current password" field depending on the authentication type
| aceEditorTheme.value = authStore.user.aceEditorTheme; | ||
| layoutStore.loading = false; | ||
| const { authMethod } = await settings.get(); | ||
| isCurrentPasswordRequired.value = authMethod == "json"; |
There was a problem hiding this comment.
Display the "current password" field only if the authentication type is JSON
| return http.StatusBadRequest, err | ||
| } | ||
|
|
||
| if d.settings.AuthMethod == auth.MethodJSONAuth { |
There was a problem hiding this comment.
Apply verification if the authentication type is JSON
| return http.StatusBadRequest, err | ||
| } | ||
|
|
||
| if d.settings.AuthMethod == auth.MethodJSONAuth { |
There was a problem hiding this comment.
Apply verification if the authentication type is JSON
| } | ||
|
|
||
| if d.settings.AuthMethod == auth.MethodJSONAuth { | ||
| var sensibleFields = map[string]struct{}{ |
There was a problem hiding this comment.
Define the sensitive fields. If these are sent from the frontend for updating, validation must be applied.
|
After upgrading to the latest version, although you need to confirm the current password again when creating or modifying user information, deleting users still does not require the current password! Deleting users should also be a sensitive operation, right? |
Yes, I'll open a PR with this change. |
Thank you very much for your reply and efforts. |
Description
When modifying sensitive user data (such as passwords, executing commands, registering new users, etc.), the authenticated user's password is requested to validate the action.
This only applies if the authentication method is "json" (JSON Web Token). With the "proxy" authentication method, it would require validation that is outside the scope of the Filebrowser backend. It could also apply to the "hook" authentication method, but this could cause confusion for Filebrowser users.
Additional Information
Closes #5213
Checklist
Before submitting your PR, please indicate which issues are either fixed or closed by this PR. See GitHub Help: Closing issues using keywords.
masterbranch.