Settings: allow the existence of "password" and "hash" attributes for users.

This brings back compatibility with ep_hash_auth, which was inadvertently broken
with 28a3bba4c1.
Based on work by John McLear.

Fixes #3681.
pull/3809/head
muxator 2020-04-01 04:05:38 +02:00 committed by muxator
parent 53f126082a
commit b7ac0f7991
1 changed files with 33 additions and 9 deletions

View File

@ -631,26 +631,50 @@ exports.reloadSettings = function reloadSettings() {
if (exports.users) {
/*
* Prune from export.users any user that has no password attribute, or whose
* password attribute is "null".
* Each user must have exactly one of ("password", "hash") attributes set,
* and its value must be not null.
*
* This is used by the settings.json in the default Dockerfile to eschew
* creating an admin user if no password is set.
* Prune from export.users any user that does not satisfy this condition,
* including the ones that (by chance) have both "password" and "hash" set.
*
* This mechanism is used by the settings.json in the default Dockerfile to
* eschew creating an admin user if no password (or hash) is set.
*/
var filteredUsers = _.pick(exports.users, function(userProperties, username) {
if (userProperties.hasOwnProperty("password") === false) {
console.warn(`Removing user "${username}", because it has no "password" field.`);
if ((userProperties.hasOwnProperty("password") === false) && (userProperties.hasOwnProperty("hash") === false)) {
console.warn(`Removing user "${username}", because it has no "password" or "hash" field.`);
return false;
}
if (userProperties.password === null) {
console.warn(`Removing user "${username}", because its password is null.`);
if (userProperties.hasOwnProperty("password") && userProperties.hasOwnProperty("hash")) {
console.warn(`Removing user "${username}", because it has both "password" and "hash" fields set. THIS SHOULD NEVER HAPPEN.`);
return false;
}
// This user has a password, and its password is not null. Keep it.
/*
* If we arrive here, the user has exactly a password or a hash set.
* They may still be null
*/
if (userProperties.hasOwnProperty("password") && (userProperties.password === null)) {
console.warn(`Removing user "${username}", because its "password" is null.`);
return false;
}
if (userProperties.hasOwnProperty("hash") && (userProperties.hash === null)) {
console.warn(`Removing user "${username}", because its "hash" value is null.`);
return false;
}
/*
* This user has a password, and its password is not null, or it has an
* hash, and its hash is not null (not both).
*
* Keep it.
*/
return true;
});