Preserve/ntfy
1
0
Fork 0
mirror of https://github.com/binwiederhier/ntfy.git synced 2025-07-20 10:04:08 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

prevent changing admin passwords

Browse source
This commit is contained in:
Hunter Kehoe 2025-01-25 21:37:23 -07:00
parent 8f9dafce20
commit ad7ab18fb7
2 changed files with 19 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
server/server_admin.go
View file

@ -50,6 +50,9 @@ func (s *Server) handleUsersAdd(w http.ResponseWriter, r *http.Request, v *visit
return err
} else if u != nil {
if req.Force == true {
if u.IsAdmin() {
return errHTTPForbidden
}
if err := s.userManager.ChangePassword(req.Username, req.Password); err != nil {
return err
}

17
server/server_admin_test.go
View file

@ -59,7 +59,7 @@ func TestUser_AddRemove(t *testing.T) {
require.Equal(t, user.Everyone, users[2].Name)
}
func TestUser_ChangePassword(t *testing.T) {
func TestUser_ChangeUserPassword(t *testing.T) {
s := newTestServer(t, newTestConfigWithAuthFile(t))
defer s.closeDatabases()
@ -97,6 +97,21 @@ func TestUser_ChangePassword(t *testing.T) {
require.Equal(t, 200, rr.Code)
}
func TestUser_DontChangeAdminPassword(t *testing.T) {
s := newTestServer(t, newTestConfigWithAuthFile(t))
defer s.closeDatabases()
// Create admin
require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleAdmin))
require.Nil(t, s.userManager.AddUser("admin", "admin", user.RoleAdmin))
// Try to change password via API
rr := request(t, s, "PUT", "/v1/users", `{"username": "admin", "password": "admin-new", "force":true}`, map[string]string{
"Authorization": util.BasicAuth("phil", "phil"),
})
require.Equal(t, 403, rr.Code)
}
func TestUser_AddRemove_Failures(t *testing.T) {
s := newTestServer(t, newTestConfigWithAuthFile(t))
defer s.closeDatabases()