fix: #9063, missing handler for passwordless accounts in admin.checkPrivileges middleware

4 years ago · 970ccb5a68
parent cf5c482d1f
commit 970ccb5a68
1 changed files with 6 additions and 0 deletions
--- a/src/middleware/admin.js
+++ b/src/middleware/admin.js
@ -124,6 +124,12 @@ middleware.checkPrivileges = helpers.try(async (req, res, next) => {
 		}
 	}

+	// If user does not have password
+	const hasPassword = await user.hasPassword(req.uid);
+	if (!hasPassword) {
+		return next();
+	}
+
 	// Reject if they need to re-login (due to ACP timeout), otherwise extend logout timer
 	const loginTime = req.session.meta ? req.session.meta.datetime : 0;
 	const adminReloginDuration = meta.config.adminReloginDuration * 60000;