OpenCloud
/
PeerTube
mirror of https://github.com/Chocobozzz/PeerTube
1
0
Fork 0
Code Issues Releases Wiki Activity

Ensure user is owned by plugin before updating it

pull/6126/head
Chocobozzz 2023-12-06 08:43:19 +01:00
parent c6047e1573
commit 4fd8d34175
No known key found for this signature in database
GPG Key ID: 583A612D890159BE
3 changed files with 30 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
packages/tests/src/plugins/id-and-pass-auth.ts
View File

@ -242,6 +242,29 @@ describe('Test id and pass auth plugins', function () {
expect(laguna.pluginAuth).to.equal('peertube-plugin-test-id-pass-auth-two') expect(laguna.pluginAuth).to.equal('peertube-plugin-test-id-pass-auth-two')
}) })
it('Should not update a user if not owned by the plugin auth', async function () {
{
await server.users.update({ userId: lagunaId, videoQuota: 43000, password: 'coucou', pluginAuth: null })
const body = await server.users.get({ userId: lagunaId })
expect(body.videoQuota).to.equal(43000)
expect(body.pluginAuth).to.be.null
}
{
await server.login.login({
user: { username: 'laguna', password: 'laguna password' },
expectedStatus: HttpStatusCode.BAD_REQUEST_400
})
}
{
const body = await server.users.get({ userId: lagunaId })
expect(body.videoQuota).to.equal(43000)
expect(body.pluginAuth).to.be.null
}
})
after(async function () { after(async function () {
await cleanupTests([ server ]) await cleanupTests([ server ])
}) })

7
server/core/lib/auth/oauth-model.ts
View File

@ -89,8 +89,11 @@ async function getUser (usernameOrEmail?: string, password?: string, bypassLogin
let user = await UserModel.loadByEmail(bypassLogin.user.email) let user = await UserModel.loadByEmail(bypassLogin.user.email)
if (!user) user = await createUserFromExternal(bypassLogin.pluginName, bypassLogin.user) if (!user) {
else user = await updateUserFromExternal(user, bypassLogin.user, bypassLogin.userUpdater) user = await createUserFromExternal(bypassLogin.pluginName, bypassLogin.user)
} else if (user.pluginAuth === bypassLogin.pluginName) {
user = await updateUserFromExternal(user, bypassLogin.user, bypassLogin.userUpdater)
}
// Cannot create a user // Cannot create a user
if (!user) throw new AccessDeniedError('Cannot create such user: an actor with that name already exists.') if (!user) throw new AccessDeniedError('Cannot create such user: an actor with that name already exists.')

2
server/core/models/user/user.ts
View File

@ -873,6 +873,8 @@ export class UserModel extends Model<Partial<AttributesOnly<UserModel>>> {
} }
isPasswordMatch (password: string) { isPasswordMatch (password: string) {
if (!password || !this.password) return false
return comparePassword(password, this.password) return comparePassword(password, this.password)
} }