Settings: allow the existence of "password" and "hash" attributes for users.

This brings back compatibility with ep_hash_auth, which was inadvertently broken with 28a3bba4c1. Based on work by John McLear. Fixes #3681.
2020-04-01 04:05:38 +02:00 · 2020-04-01 04:05:38 +02:00 · b7ac0f7991
commit b7ac0f7991
parent 53f126082a
1 changed files with 33 additions and 9 deletions
--- a/src/node/utils/Settings.js
+++ b/src/node/utils/Settings.js
@ -631,26 +631,50 @@ exports.reloadSettings = function reloadSettings() {

  if (exports.users) {
    /*
-     * Prune from export.users any user that has no password attribute, or whose
-     * password attribute is "null".
+     * Each user must have exactly one of ("password", "hash") attributes set,
+     * and its value must be not null.
     *
-     * This is used by the settings.json in the default Dockerfile to eschew
-     * creating an admin user if no password is set.
+     * Prune from export.users any user that does not satisfy this condition,
+     * including the ones that (by chance) have both "password" and "hash" set.
+     *
+     * This mechanism is used by the settings.json in the default Dockerfile to
+     * eschew creating an admin user if no password (or hash) is set.
     */
    var filteredUsers = _.pick(exports.users, function(userProperties, username) {
-      if (userProperties.hasOwnProperty("password") === false) {
-        console.warn(`Removing user "${username}", because it has no "password" field.`);
+      if ((userProperties.hasOwnProperty("password") === false) && (userProperties.hasOwnProperty("hash") === false)) {
+        console.warn(`Removing user "${username}", because it has no "password" or "hash" field.`);

        return false;
      }

-      if (userProperties.password === null) {
-        console.warn(`Removing user "${username}", because its password is null.`);
+      if (userProperties.hasOwnProperty("password") && userProperties.hasOwnProperty("hash")) {
+        console.warn(`Removing user "${username}", because it has both "password" and "hash" fields set. THIS SHOULD NEVER HAPPEN.`);

        return false;
      }

-      // This user has a password, and its password is not null. Keep it.
+      /*
+       * If we arrive here, the user has exactly a password or a hash set.
+       * They may still be null
+       */
+      if (userProperties.hasOwnProperty("password") && (userProperties.password === null)) {
+        console.warn(`Removing user "${username}", because its "password" is null.`);
+
+        return false;
+      }
+
+      if (userProperties.hasOwnProperty("hash") && (userProperties.hash === null)) {
+        console.warn(`Removing user "${username}", because its "hash" value is null.`);
+
+        return false;
+      }
+
+      /*
+       * This user has a password, and its password is not null, or it has an
+       * hash, and its hash is not null (not both).
+       *
+       * Keep it.
+       */
      return true;
    });