fix: #7576 "Disable password changes" can be sidestepped

6 years ago · 50260e137a
parent e114b16d7a
commit 50260e137a
2 changed files with 9 additions and 0 deletions
--- a/src/controllers/index.js
+++ b/src/controllers/index.js
@ -40,6 +40,10 @@ Controllers.errors = require('./errors');
 Controllers.composer = require('./composer');

 Controllers.reset = function (req, res, next) {
+	if (meta.config['password:disableEdit']) {
+		return helpers.notAllowed(req, res);
+	}
+
 	res.locals.metaTags = {
 		...res.locals.metaTags,
 		name: 'robots',
@ -120,6 +124,7 @@ Controllers.login = function (req, res, next) {
 	}]);
 	data.error = req.flash('error')[0] || errorText;
 	data.title = '[[pages:login]]';
+	data.allowPasswordReset = !meta.config['password:disableEdit'];

 	privileges.global.canGroup('local:login', 'registered-users', function (err, hasLoginPrivilege) {
 		if (err) {
--- a/src/socket.io/user.js
+++ b/src/socket.io/user.js
@ -100,6 +100,10 @@ SocketUser.reset.send = function (socket, email, callback) {
 		return callback(new Error('[[error:invalid-data]]'));
 	}

+	if (meta.config['password:disableEdit']) {
+		return callback(new Error('[[error:no-privileges]]'));
+	}
+
 	user.reset.send(email, function (err) {
 		events.log({
 			type: 'password-reset',