From 7c099fef5e080ea218dd97cfc29f1a19e67e8cd4 Mon Sep 17 00:00:00 2001
From: muxator <a.mux@inwind.it>
Date: Sat, 19 Oct 2019 00:54:56 +0200
Subject: [PATCH] settings: do not create a user if he has no password field,
 or if his password is null.

This will be used by the settings.json in the default Dockerfile to eschew
creating an admin user when no password is set.

Closes #3648.
---
 settings.json.template     |  9 +++++++--
 src/node/utils/Settings.js | 21 +++++++++++++++++++++
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/settings.json.template b/settings.json.template
index 27d605c98..5f94d3ada 100644
--- a/settings.json.template
+++ b/settings.json.template
@@ -50,6 +50,9 @@
  * 2) Beware of undefined variables and default values: nulls and empty strings
  *    are different!
  *
+ *    This is particularly important for user's passwords (see the relevant
+ *    section):
+ *
  *    "password": "${PASSW}"  // if PASSW is not defined would result in password === null
  *    "password": "${PASSW:}" // if PASSW is not defined would result in password === ''
  *
@@ -358,12 +361,14 @@
   /*
   "users": {
     "admin": {
-      // "password" can be replaced with "hash" if you install ep_hash_auth
+      // 1) "password" can be replaced with "hash" if you install ep_hash_auth
+      // 2) please note that if password is null, the user will not be created
       "password": "changeme1",
       "is_admin": true
     },
     "user": {
-      // "password" can be replaced with "hash" if you install ep_hash_auth
+      // 1) "password" can be replaced with "hash" if you install ep_hash_auth
+      // 2) please note that if password is null, the user will not be created
       "password": "changeme1",
       "is_admin": false
     }
diff --git a/src/node/utils/Settings.js b/src/node/utils/Settings.js
index 23a792ffd..1b2c22109 100644
--- a/src/node/utils/Settings.js
+++ b/src/node/utils/Settings.js
@@ -629,6 +629,27 @@ exports.reloadSettings = function reloadSettings() {
     console.info(`Using skin "${exports.skinName}" in dir: ${skinPath}`);
   }
 
+  if (exports.users) {
+    /*
+     * Prune from export.users any user that has no password attribute, or whose
+     * password attribute is "null".
+     *
+     * This is used by the settings.json in the default Dockerfile to eschew
+     * creating an admin user if no password is set.
+     */
+    var filteredUsers = _.filter(exports.users, function(user, username) {
+      if ((user.hasOwnProperty("password")) || user.password !== null) {
+        return true;
+      }
+
+      console.warn(`The password for ${username} is null. This means the user must not be created. Removing it.`);
+
+      return false;
+    });
+
+    exports.users = filteredUsers;
+  }
+
   if (exports.abiword) {
     // Check abiword actually exists
     if (exports.abiword != null) {