From 970ccb5a68f7ec250ccab8fa8d016c6d1d0bbc59 Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Sat, 5 Dec 2020 09:50:45 -0500
Subject: [PATCH] fix: #9063, missing handler for passwordless accounts in
 admin.checkPrivileges middleware

---
 src/middleware/admin.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/middleware/admin.js b/src/middleware/admin.js
index 765463281b..fbf8cc8dbe 100644
--- a/src/middleware/admin.js
+++ b/src/middleware/admin.js
@@ -124,6 +124,12 @@ middleware.checkPrivileges = helpers.try(async (req, res, next) => {
 		}
 	}
 
+	// If user does not have password
+	const hasPassword = await user.hasPassword(req.uid);
+	if (!hasPassword) {
+		return next();
+	}
+
 	// Reject if they need to re-login (due to ACP timeout), otherwise extend logout timer
 	const loginTime = req.session.meta ? req.session.meta.datetime : 0;
 	const adminReloginDuration = meta.config.adminReloginDuration * 60000;