0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-03-11 02:12:21 -05:00

Don't alter password from User.edit endpoint

- password changes should only be possible from the password change endpoint

Credits: An anonymous researcher working with Beyond Security's SecuriTeam Secure Disclosure program
This commit is contained in:
Hannah Wolfe 2015-09-23 19:44:38 +01:00
parent 48919a96c0
commit 00656a729b
2 changed files with 18 additions and 0 deletions

View file

@ -156,6 +156,11 @@ users = {
options.editRoles = true;
}
// The password should never be set via this endpoint, if it is passed, ignore it
if (object.users && object.users[0] && object.users[0].password) {
delete object.users[0].password;
}
/**
* ### Handle Permissions
* We need to be an authorised user to perform this action

View file

@ -383,6 +383,19 @@ describe('Users API', function () {
done();
}).catch(done);
});
it('Does not allow password to be set', function (done) {
UserAPI.edit(
{users: [{name: 'newname', password: 'newpassword'}]}, _.extend({}, context.author, {id: userIdFor.author})
).then(function () {
return ModelUser.User.findOne({id: userIdFor.author}).then(function (response) {
console.log(response);
response.get('name').should.eql('newname');
response.get('password').should.not.eql('newpassword');
done();
});
}).catch(done);
});
});
describe('Add', function () {