Only allow local login if password is non-empty (#5906)

zeripath · lafriks · commit 0f295ababacf · 2019-01-30T23:18:54.000+02:00
diff --git a/models/login_source.go b/models/login_source.go
@@ -644,7 +644,7 @@ func UserSignIn(username, password string) (*User, error) {
 	if hasUser {
 		switch user.LoginType {
 		case LoginNoType, LoginPlain, LoginOAuth2:
-			if user.ValidatePassword(password) {
+			if user.IsPasswordSet() && user.ValidatePassword(password) {
 				return user, nil
 			}
 
diff --git a/modules/lfs/server.go b/modules/lfs/server.go
@@ -582,7 +582,7 @@ func parseToken(authorization string) (*models.User, *models.Repository, string,
 		if err != nil {
 			return nil, nil, "basic", err
 		}
-		if !u.ValidatePassword(password) {
+		if !u.IsPasswordSet() || !u.ValidatePassword(password) {
 			return nil, nil, "basic", fmt.Errorf("Basic auth failed")
 		}
 		return u, nil, "basic", nil

Original file line number	Diff line number	Diff line change
`@@ -644,7 +644,7 @@ func UserSignIn(username, password string) (*User, error) {`
`644`	`644`	`if hasUser {`
`645`	`645`	`switch user.LoginType {`
`646`	`646`	`case LoginNoType, LoginPlain, LoginOAuth2:`
`647`		`- if user.ValidatePassword(password) {`
	`647`	`+ if user.IsPasswordSet() && user.ValidatePassword(password) {`
`648`	`648`	`return user, nil`
`649`	`649`	`}`
`650`	`650`
Original file line number	Diff line number	Diff line change
`@@ -582,7 +582,7 @@ func parseToken(authorization string) (models.User, models.Repository, string,`
`582`	`582`	`if err != nil {`
`583`	`583`	`return nil, nil, "basic", err`
`584`	`584`	`}`
`585`		`- if !u.ValidatePassword(password) {`
	`585`	`+ if !u.IsPasswordSet() \|\| !u.ValidatePassword(password) {`
`586`	`586`	`return nil, nil, "basic", fmt.Errorf("Basic auth failed")`
`587`	`587`	`}`
`588`	`588`	`return u, nil, "basic", nil`