From ad7ab18fb737d22f3cbb434665cd49b0048dba44 Mon Sep 17 00:00:00 2001 From: Hunter Kehoe Date: Sat, 25 Jan 2025 21:37:23 -0700 Subject: [PATCH] prevent changing admin passwords --- server/server_admin.go | 3 +++ server/server_admin_test.go | 17 ++++++++++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/server/server_admin.go b/server/server_admin.go index 0e7e311e..a2654db7 100644 --- a/server/server_admin.go +++ b/server/server_admin.go @@ -50,6 +50,9 @@ func (s *Server) handleUsersAdd(w http.ResponseWriter, r *http.Request, v *visit return err } else if u != nil { if req.Force == true { + if u.IsAdmin() { + return errHTTPForbidden + } if err := s.userManager.ChangePassword(req.Username, req.Password); err != nil { return err } diff --git a/server/server_admin_test.go b/server/server_admin_test.go index 70574efe..c99ec549 100644 --- a/server/server_admin_test.go +++ b/server/server_admin_test.go @@ -59,7 +59,7 @@ func TestUser_AddRemove(t *testing.T) { require.Equal(t, user.Everyone, users[2].Name) } -func TestUser_ChangePassword(t *testing.T) { +func TestUser_ChangeUserPassword(t *testing.T) { s := newTestServer(t, newTestConfigWithAuthFile(t)) defer s.closeDatabases() @@ -97,6 +97,21 @@ func TestUser_ChangePassword(t *testing.T) { require.Equal(t, 200, rr.Code) } +func TestUser_DontChangeAdminPassword(t *testing.T) { + s := newTestServer(t, newTestConfigWithAuthFile(t)) + defer s.closeDatabases() + + // Create admin + require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleAdmin)) + require.Nil(t, s.userManager.AddUser("admin", "admin", user.RoleAdmin)) + + // Try to change password via API + rr := request(t, s, "PUT", "/v1/users", `{"username": "admin", "password": "admin-new", "force":true}`, map[string]string{ + "Authorization": util.BasicAuth("phil", "phil"), + }) + require.Equal(t, 403, rr.Code) +} + func TestUser_AddRemove_Failures(t *testing.T) { s := newTestServer(t, newTestConfigWithAuthFile(t)) defer s.closeDatabases()