From 00656a729b606547daca8ee3824ea94c06360178 Mon Sep 17 00:00:00 2001 From: Hannah Wolfe Date: Wed, 23 Sep 2015 19:44:38 +0100 Subject: [PATCH] Don't alter password from User.edit endpoint - password changes should only be possible from the password change endpoint Credits: An anonymous researcher working with Beyond Security's SecuriTeam Secure Disclosure program --- core/server/api/users.js | 5 +++++ core/test/integration/api/api_users_spec.js | 13 +++++++++++++ 2 files changed, 18 insertions(+) diff --git a/core/server/api/users.js b/core/server/api/users.js index b88ca5425a..84c1c00d52 100644 --- a/core/server/api/users.js +++ b/core/server/api/users.js @@ -156,6 +156,11 @@ users = { options.editRoles = true; } + // The password should never be set via this endpoint, if it is passed, ignore it + if (object.users && object.users[0] && object.users[0].password) { + delete object.users[0].password; + } + /** * ### Handle Permissions * We need to be an authorised user to perform this action diff --git a/core/test/integration/api/api_users_spec.js b/core/test/integration/api/api_users_spec.js index 9a4a5f7135..2b2fd42294 100644 --- a/core/test/integration/api/api_users_spec.js +++ b/core/test/integration/api/api_users_spec.js @@ -383,6 +383,19 @@ describe('Users API', function () { done(); }).catch(done); }); + + it('Does not allow password to be set', function (done) { + UserAPI.edit( + {users: [{name: 'newname', password: 'newpassword'}]}, _.extend({}, context.author, {id: userIdFor.author}) + ).then(function () { + return ModelUser.User.findOne({id: userIdFor.author}).then(function (response) { + console.log(response); + response.get('name').should.eql('newname'); + response.get('password').should.not.eql('newpassword'); + done(); + }); + }).catch(done); + }); }); describe('Add', function () {